Rewterz Threat Alert – Nefilim/Nephilim Ransomware Campaign

Severity

High

Analysis Summary

Threat actors are accessing organisations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN), as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched. Once an attacker gains a foothold through the remote access system, they then use tools such as mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network. The attacker can identify the need of information and extract the desired information and encrypt files.

Impact

• Gain access in the network
• Lateral movement across the network.
• Exposure of sensitive information
• File encryption

Indicators of Compromise

MD5

• 053ec539c138afb99054bd362bb3ed71
• 26c35850483c877ee23f476b38d58deb
• 70e4b9b7a83473687e5784489d556c87
• dfd4dbfd7cbd6179fc371e5f887f189c
• 659c4b68f2027905def1af9249feebb3
• 5ff20e2b723edb2d0fb27df4fc2c4468
• 0790a7e0a842e1de70de194054fa11b3
• 3beb3d466bcc0977ec2dd66d72ab6bb3
• 80cfda61942eb4e71f286297a1158f48
• 8f90539c405672016c0dec7ac3574eea
• dc88265c361d73540a31c19583271fb0
• ddc50d4ae0674d854a845b3eb32508c3

SHA-256

• b227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17
• b8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e
• 7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599
• fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020
• 8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b
• 3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953
• 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
• d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3
• 35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f
• 08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641
• 3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5
• 353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5
• 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea
• 7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377

SHA1

• d87847810db8af546698e47653452dcd089c113e
• bd59d7c734ca2f9cbaf7f12bc851f7dce94955d4
• bbcb2354ef001f476025635741a6caa00818cbe7
• f246984193c927414e543d936d1fb643a2dff77b
• e53d4b589f5c5ef6afd23299550f70c69bc2fe1c
• c61f2cdb0faf31120e33e023b7b923b01bc97fbf
• 6c9ae388fa5d723a458de0d2bea3eb63bc921af7
• 2483dc7273b8004ecc0403fbb25d8972470c4ee4
• 0d339d08a546591aab246f3cf799f3e2aaee3889
• 4595cdd47b63a4ae256ed22590311f388bc7a2d8
• 1f594456d88591d3a88e1cdd4e93c6c4e59b746c
• 9770fb41be1af0e8c9e1a69b8f92f2a3a5ca9b1a
• e99460b4e8759909d3bd4e385d7e3f9b67aa1242
• e94089137a41fd95c790f88cc9b57c2b4d5625ba

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your existing environment.
• Keep your software patched.
• Enable multi factor authentication (MFA).