A new ransomware called Nefilim that shares much of the same code as Nemty has started to become active and threatens to release stolen data.
According to a BleepingComputer report, Nefilim became active at the end of February 2020 and while it not known for sure how the ransomware is being distributed, it is most likely through exposed Remote Desktop Services. Head of SentinelLabs Vitali Krimez and ID Ransomware's Michael Gillespie both told BleepingComputer that Nefilim and Nemty 2.5 share much of the same code.
The main difference, adds the report, is that Nefilim now relies on email communications for payments rather than a Tor payment site and has removed the Ransomware-as-a-Service (RaaS) component.
In the Nefilim ransom note, the attackers state that if a user does not pay the ransom in seven days they will release data that was stolen from the network:
"A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted."
In the past, adds BleepingComputer, this would have been seen as an empty threat, but with Maze, Sodinokibi, Nemty and more popular ransomware infections following through with their threats, it should no longer be ignored.
The New Jersey Cybersecurity & Communications Integration Cell recommends ensuring any sensitive data is encrypted at rest and in transit to protect data if exfiltrated. Additionally, to increase resiliency to ransomware infections, implement a defense-in-depth cybersecurity strategy and establish a comprehensive data backup plan that includes having multiple copies that are tested regularly and kept offline in a separate and secure location.
For more information, visit the BleepingComputer report.