Hong Kong: Trend Micro has released the Nefilim ransomware group case study today. It provides insight into the inner workings of modern ransomware attacks. And how the groups have evolved, operate and how advanced threat detection and response platforms can help stop them.
The report revealed that the modern ransomware families’ approach makes detection and response significantly more difficult for already stretched SOC and IT security teams. This matters not only to the bottom line and corporate reputation but also to the well-being of SOC teams themselves.
“Modern ransomware attacks are highly targeted, adaptable and stealthy – using proven approaches perfected by APT groups in the past. By stealing data and locking key systems, groups like Nefilim look to extort highly profitable global organisations,” said Bob McArdle, Director – Cybercrime Research, Trend Micro.
“Our latest report is a must-read for anyone in the industry who wants to understand this fast-growing underground economy inside-out, and how solutions like Trend Micro Vision One can help them hit back,” added McArdle.
Of the 16 ransomware groups studied from March 2020 to January 2021, Conti, Doppelpaymer, Egregor and REvil led the way in terms of the number of victims exposed—and Cl0p had the most stolen data hosted online at 5TB.
However, the Nefilim ransomware group extorted the highest median revenue with its ruthless focus on organisations earning over $1billion in revenue.
As the report reveals, a Nefilim ransom group attack typically involves the following stages:
- Initial access that exploits weak credentials on exposed RDP services or other externally facing HTTP services.
- Once inside, legitimate admin tools are used for lateral movement to find valuable systems for data theft and encryption.
- A “call home” system is set up with Cobalt Strike and protocols that can pass through firewalls, like HTTP, HTTPS and DNS.
- Bulletproof hosting services are used for C&C servers.
- Data is exfiltrated and published on TOR-protected websites later to extort the victim. Nefilim published around 2TB of data last year.
- Ransomware payload is launched manually once enough data has been exfiltrated.
Trend Micro has previously warned of the widespread use of legitimate tools such as AdFind, Cobalt Strike, Mimikatz, Process Hacker, PsExec, and MegaSync, to help ransomware attackers achieve their end goal while staying hidden.
Trend Micro Vision One monitor and correlates suspicious behaviour across multiple layers—endpoints, emails, servers, and cloud workloads—to ensure there’s no hiding space for threat actors.
This makes for faster incident response times, and teams can often stop attacks before they’ve had a chance to make a serious impact on the organisation.