{ "name": "Nefilim Ransomware", "slug": "nefilim-ransomware", "description": "Nefilim ransomware emerged in March 2020, evolving from Nemty's code. It targets vulnerabilities in Citrix gateway devices and uses exposed Remote Desktop Protocol for initial access. The malware exfiltrates sensitive data before encryption and threatens to publish it if ransom isn't paid. Nefilim uses tools like PsExec, Mimikatz, and LaZagne for lateral movement and credential theft. It employs AES-128 encryption and drops a ransom note named 'NEFILIM-DECRYPT.txt'. The ransomware has attacked high-profile targets like Toll Group. Mitigation strategies include strong passwords, disabling RDP, regular backups, software updates, and monitoring for lateral movement and data exfiltration.", "published": "2026-02-24T16:00:03+00:00", "created_at": "2026-02-24T16:00:03+00:00", "modified_at": "2026-02-24T19:54:16+00:00", "created_at_opencti": "2026-02-24T16:00:03+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-02-24", "CVE-2019-11634", "CVE-2019-19781", "aes-128", "citrix", "credential-theft", "data exfiltration", "encryption", "lateral movement", "nefilim", "nemty", "netwalker", "ransomware", "rdp" ], "related_entities": { "observables": [ { "id": "", "name": "08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641" }, { "id": "", "name": "7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377" }, { "id": "", "name": "b8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e" }, { "id": "", "name": "52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea" }, { "id": "", "name": "5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6" }, { "id": "", "name": "7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599" }, { "id": "", "name": "3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953" }, { "id": "", "name": "d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3" }, { "id": "", "name": "353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5" }, { "id": "", "name": "fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020" }, { "id": "", "name": "8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b" }, { "id": "", "name": "b227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17" }, { "id": "", "name": "35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f" }, { "id": "", "name": "3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5" } ], "intrusion_sets": [ { "id": "27479b3f-3f9f-4c35-b09e-50d9f677a023", "name": "Nefilim", "slug": "nefilim" } ], "attack_patterns": [ { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "cf746a02-00ea-419e-912d-7b03f969c491", "name": "T1518.001" }, { "id": "4cb4ee3b-b78f-45cf-bcaa-45a2aa968e56", "name": "T1570" }, { "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f", "name": "T1490" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "14e5fcd9-c0ff-44f0-8430-d8942ebb832e", "name": "T1567.002" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "others": [ { "id": "", "name": "Australia" }, { "id": "", "name": "Transportation" } ] }, "external_refs": [ "https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware", "https://otx.alienvault.com/pulse/699dd914e2e8434b78e71749" ] }