nefilim_ransomware_group

Also known asNefilim Ransomware Group

Nefilim is a ransomware group associated in the provided content with Ukrainian nationals Artem Aleksandrovych Stryzhak and alleged administrator Volodymyr Tymoshchuk. The group conducted ransomware attacks against organizations in the U.S. and Europe from at least 2018 to 2021, with reporting in the content also stating it primarily targeted companies in the U.S., Canada, and Australia with more than $100 million in annual revenue. Victim sectors explicitly mentioned include engineering, aviation, chemicals, insurance, construction, pet care, eyewear, and oil and gas transportation, and victims in Germany, the Netherlands, Norway, and Switzerland are also noted. The group customized ransomware files and ransom notes for each victim, created unique decryption keys, researched companies’ net worth, size, and contact information after network breaches, and extorted victims by threatening to publish stolen data. The attacks caused millions of dollars in losses. The content states that Stryzhak gained access to the Nefilim ransomware code in June 2021 in exchange for 20% of ransom proceeds. Volodymyr Tymoshchuk is described as an administrator of the Nefilim ransomware group and as also being charged in connection with administering LockerGoga and MegaCortex ransomware operations. No additional aliases for the Nefilim group itself are provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyberscoopNews

Dec 19, 2025

Ukrainian national pleads guilty to Nefilim ransomware attacks

The Nefilim ransomware group is responsible for a series of ransomware attacks targeting high-revenue organizations in the US, Canada, Australia, and several European countries. They extorted victims by encrypting networks, stealing data, and threatening to publish it unless ransoms were paid. The group customized ransomware payloads for each victim and researched targets to maximize extortion.

sentinelone blogNews

Sep 12, 2025

The Good, the Bad and the Ugly in Cybersecurity – Week 37

From 2019 to 2021, the group breached over 250 companies worldwide, stealing millions and disrupting critical services. Nefilim was managed as a ransomware-as-a-service operation.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.