Nefilim Ransomware Group (2019 2021)
Chat GPT Generated Overview of Nefilim
Nefilim (also seen as "Netfilim" or "Nephilim") ransomware emerged in March 2020 as a successor to the Nemty ransomware family. It marked a shift from RaaS (Ransomware-as-a-Service) toward highly targeted enterprise attacks, combining encryption with data exfiltration and extortion.
- Alias: Water Roc (tracked by various vendors)
- Tactic: Double extortion via encryption and public data leaks
Targeted Industries & Victims
Nefilim focused on large enterprises in sectors like:
- Manufacturing
- Transportation
- Energy
- Professional Services
Notable Compromised Companies
- Toll Group (Australia)
- SPIE Group (Europe)
- Dussmann Group (Germany)
Tools & Tactics (MITRE ATT&CK-Aligned)
Initial Access
- Exploited:
- CVE-2019-19781 (Citrix ADC/Gateway)
- CVE-2019-11634 (Citrix Storefront)
- Used RDP brute force or credential reuse on exposed systems
Credential Access
- Mimikatz used to harvest credentials
Lateral Movement
- RDP and WMI (Windows Management Instrumentation)
Data Exfiltration
- Used MEGA cloud storage to upload stolen data
Encryption & Impact
- File encryption using AES-128, protected with RSA-2048
- Appended file extension:
.NEFILIM
Ransomware Operations
- Double extortion: Victims were threatened with public exposure on a leak site called Corporate Leaks
- Ransom demands were tailored to the victim's financial profile
Known Actor Involvement
- Artem Aleksandrovych Stryzhak, a Ukrainian national, was extradited to the U.S. in 2025 for Nefilim-linked attacks on companies exceeding $200M in revenue.
Mitigations
- Apply critical updates to Citrix, VPNs, and other exposed services
- Audit user accounts and remove unused credentials
- Enforce Multi-Factor Authentication (MFA)
- Implement network segmentation
- Maintain offline backups and test restoration regularly