Nefilim
Nefilim, also spelled Nephilim, is a ransomware operation that emerged in March 2020. The group used an affiliate-based model in which administrators provided affiliates with access to the ransomware and supporting resources in exchange for 20% of ransom proceeds. Reported administrators included Volodymyr Viktorovych Tymoshchuk, a Ukrainian national who, according to the provided content, administered Nefilim from July 2020 through October 2021 and has also been charged in connection with LockerGoga and MegaCortex. Artem Aleksandrovych Stryzhak, also a Ukrainian national, is identified in the content as a Nefilim affiliate who pleaded guilty in the United States for deploying the ransomware against corporate networks in the United States and other countries. The operation targeted corporations worldwide, including victims in the United States, Norway, France, Switzerland, Germany, and the Netherlands. The content states that Nefilim administrators encouraged targeting companies in the United States, Canada, and Australia with annual revenues above $100 million, later above $200 million. Mentioned victims and targeting examples include Whirlpool and unpatched Citrix gateways. Nefilim used double extortion: attackers stole data, encrypted victim networks, and threatened to publish stolen information on "Corporate Leaks" sites if ransoms were not paid. The group used customized ransomware executables in each attack, generating unique decryption keys and tailored ransom notes per victim. Affiliates used an online panel to research and select victims based on company size, revenue, net worth, and contact details. The content also states that Nefilim ransomware attacks caused millions in losses and that the broader schemes associated with Tymoshchuk extorted more than 250 companies in the United States and hundreds more globally. The provided content also notes that Nefilim ransomware attacks leveraged fast flux DNS infrastructure, and that fast flux has been specifically cited in Nefilim ransomware activity. Known aliases in the content are Nefilim and Nephilim.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a notable ransomware group known for leveraging fast-flux DNS networks.
Ransomware operations referenced in the context of U.S. legal action against an individual involved in Nefilim ransomware attacks.
Ransomware operations targeting corporations worldwide, using Nefilim ransomware and demanding ransom payments.
Ransomware operations targeting corporations worldwide, using Nefilim ransomware and demanding ransom payments.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.