Nefilim Ransomware
Essential information
- Published
- 24/02/2026 17:00
- Modified
- 24/02/2026 20:54
- Tags
- 2026-02-24 CVE-2019-11634 CVE-2019-19781 aes-128 citrix credential-theft data exfiltration encryption lateral movement nefilim nemty netwalker ransomware rdp
- Related entities
- 14 observables, 1 intrusion sets (apt), 13 techniques (mitre), 2 others
Description
Nefilim ransomware emerged in March 2020, evolving from Nemty's code. It targets vulnerabilities in Citrix gateway devices and uses exposed Remote Desktop Protocol for initial access. The malware exfiltrates sensitive data before encryption and threatens to publish it if ransom isn't paid. Nefilim uses tools like PsExec, Mimikatz, and LaZagne for lateral movement and credential theft. It employs AES-128 encryption and drops a ransom note named 'NEFILIM-DECRYPT.txt'. The ransomware has attacked high-profile targets like Toll Group. Mitigation strategies include strong passwords, disabling RDP, regular backups, software updates, and monitoring for lateral movement and data exfiltration.