Nefilim
Nefilim is a ransomware family and ransomware operation, also spelled "Nephilim," that emerged in March 2020 and is described as a successor to the Nemty ransomware family. It operated as an affiliate-based ransomware scheme in which administrators provided affiliates with the malware and supporting resources in exchange for a share of ransom proceeds; multiple reports in the content state affiliates paid or surrendered 20% of ransom revenue to the administrators. The malware was used to encrypt victim networks worldwide and was paired with double-extortion tactics: operators stole data, encrypted systems, and threatened to publish stolen information on "Corporate Leaks" sites if victims did not pay. The operation generated customized ransomware executables, unique decryption keys, and tailored ransom notes for each victim. Reported targeting focused on large, high-revenue corporate victims, especially companies in the United States, Canada, and Australia, with references to thresholds above $100 million and later above $200 million in annual revenue. Victim industries mentioned in the content include aviation, engineering, chemicals, eyewear, insurance, construction, energy/oil and gas transportation, and pet care, with additional victims in the U.S., Germany, the Netherlands, Norway, Switzerland, France, and other countries. The content also notes Nefilim’s use in attacks causing millions of dollars in ransom and recovery losses. Operationally, Nefilim has been associated with fast-flux infrastructure, and Mandiant research cited process kill lists deployed alongside Nefilim samples. Trend Micro reporting in the content states Nefilim drops MegaSync into its normal file path under its normal name, consistent with data-exfiltration support tooling. The content links the operation to Ukrainian national Volodymyr Viktorovich Tymoshchuk, identified in charging documents as an administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations and currently at large, and to affiliate Artem Aleksandrovych Stryzhak, who pleaded guilty to deploying Nefilim against corporate networks after receiving access to the ransomware code in June 2021.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Discovery
1 technique
Discovery
Command and Control
1 technique
Command and Control
Exfiltration
1 technique
Exfiltration
On top of client applications such as those provided by Mega, many ransomware families may use other software or built-in operating system utilities to exfiltrate data. We’ll use Mega as the example here... you can look for execution of any process that is not chrome.exe ... initiating a network connection to the domains mega.io or mega.co.nz .
Impact
3 techniques
Impact
Recent activity
28 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware operation referenced in connection with aliases linked to the seller of INC source code.
Ransomware family mentioned only in a related-article link title; no operational details provided in the main content.
Ransomware family referenced in connection with attacks in the United States.
Ransomware used to encrypt victim environments and cause operational disruption/damage; referenced in the context of DOJ action against an alleged conspirator.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.