Ghost Accounts used by Nefilim Ransomware Actors

 

Recently we are witnessing that the Ransomware operators are teaming up to exchange software and infrastructure to further accelerate the operation of leakage and extortion that harms the victims of such attacks. One such ransomware is Nefilim. 

Nefilim also known as Nemty has emerged in 2020 as a new category onto the list of ransomware strains, here if the victims do not pay the ransom, Nefilim threatens to reveal information to the public; it has its own leaks platform called Corporate Leaks and is located in the TOR node. 

As stated by Michael Heller, a researcher at Sophos, the Rapid Response is a 24/7 service provided by Sophos that helps organizations to detect and neutralize the active threat by actors as soon as possible. Lately, a company that has been attacked with the Nefilim ransomware, reached out to the Rapid Responses by Sophos for help. In the incident reported by the company, a ransomware attack from Nefilim locked up more than 100 systems stemmed from the unregulated account compromised of an employee who died three months ago. The attackers traveled silently through the network, stole the domain admin keys, then located and filtered hundreds of GB of data prior to unleashing any malware that exposes the existence of such data. The account was obviously held deliberately as it was used for utilities, so the Rapid Response team had to determine which acts were legit and which were deceptive from that account. 

Nefilim ransomware replaces the initial files with encrypted copies, nearly all the big ransomware, making recovery difficult without either a decryption key or a recent backup. As soon as the Customer contracted Sophos, the Rapid Response Team took steps to load security into any applications that they might use, to guarantee that all the security measured required were added to systems that had already been implemented by Sophos and to find evidence about how and where the invading processes started and what could have been stolen. 

 As stated by Michael Heller, the latest victim of the attack was compromised by exploiting vulnerable versions of the Citrix Software, after which the actors gained access to the domain key or the domain admin account using Mimikatz. Well in general the actor can gain access either by Citrix Software or by Remote Desktop Protocol. 

“Ransomware is the final payload in a longer attack. It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory,” stated, Peter Mackenzie, manager of Rapid Response. “Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”