Rule of the Week: Nefilim/Nephilim Ransomware Detection

This week we want to highlight the community Sigma rule by Emir Erdogan that helps detect Nefilim/Nephilim ransomware used in destructive attacks. This ransomware family was first discovered two months ago, and its code is based on NEMTY ransomware which emerged last summer as a public affiliate program. It looks like NEMTY forked into two separate projects, as its RaaS operations went private, or the adversaries sold the source code to another group. Nephilim ransomware was used in multiple damaging campaigns that threaten to publish victims’ stolen data if the victim decided not to pay a ransom. Attackers compromise RDP services, establish persistence, collect additional credentials to move laterally, and exfiltrate data before delivering the ransomware payloads to all available systems. The rule by Emir Erdogan can spot the beginning of the attack, so you’ll be able to act before all your systems are encrypted: https://tdm.socprime.com/tdm/info/lC8zLKPM5tEv/mCFyDXIBjwDfaYjKjXen/?p=1

Threat Detection is supported for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, Sumo Logic

EDR: Carbon Black, CrowdStrike, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact, Execution, Defense Evasion

Techniques: Data Encrypted for Impact (1486), Disabling Security Tools (1089), Inhibit System Recovery (T1490)

Emir Erdogan is active participant of SOC Prime Threat Bounty Program. TDM users can see his name on the Top Authors by Downloads section on Leaderboards, as well as view all content published by the author on Threat Detection Marketplace.