Inactive ransomware operator
← All groupsNefilim
15 victims indexed · first seen 6 years ago · last activity 5 years ago
15
Victims indexed
#179 of 348 tracked operators
1y 4m
Active period
May 2020 → Sep 2021
4
Countries hit
top Germany · 1
At a glance
- Status
- inactive
- First seen
- 6 years ago
- Last activity
- 5 years ago
- Onion sites
- 1 known endpoint
- Primary sector
- Critical Manufacturing · 3 hits
About
Nefilim is a ransomware group that emerged in May 2020, operating as a financially motivated cybercriminal organization that has targeted at least 15 documented victims across multiple sectors. The group's origin and specific affiliations remain largely undocumented by major security firms, though their operational patterns suggest they function as an independent ransomware operation rather than a confirmed Ransomware-as-a-Service model. Nefilim employs double extortion tactics, stealing sensitive data from victims before deploying their ransomware payload, and threatens to publish exfiltrated information on leak sites if ransom demands are not met, with their attacks primarily focusing on critical manufacturing, media, transportation systems, and communications sectors. The group has demonstrated a geographic targeting preference for Germany, France, New Zealand, and Australia, suggesting either regional operational focus or specific victim selection criteria within these countries. Due to the limited public documentation from major threat intelligence providers, detailed information about specific high-profile campaigns, attack vectors, and current operational status remains sparse in open-source reporting from established security research organizations.
References
32 linksExternal sources curated by the MISP threat-intel community.
- zdnet.com/article/a-deep-dive-into-nefilim-a-double-extortion-ransomware-group
- trendmicro.com/en_nz/research/21/f/nefilim-modern-ransomware-attack-story.html
- secureworks.com/research/threat-profiles/gold-mansard
- blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware
- docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
- documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf
- id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html
- intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry
- ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
- labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
- news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/
- news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
- securelist.com/evolution-of-jsworm-ransomware/102428/
- us-cert.cisa.gov/ncas/alerts/aa20-345a
- vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
- accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
- blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
- bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/
- bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/
- bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
Timeline
5 months2020-05-01T00:00:00+00:002021-09-01T00:00:00+00:00
Top countries
🇩🇪 Germany
1
🇫🇷 France
1
🇳🇿 New Zealand
1
🇦🇺 Australia
1
Top sectors
Critical Manufacturing
3
Media
2
Transportation Systems
1
Communication
1
MITRE ATT&CK
6 techniques · 6 tacticsTactics
Initial AccessExecutionDefense EvasionCollectionExfiltrationImpact
Recent victims
Loading…
Onion infrastructure
1 known- http://hxt254aygrsziejn.onion
Source
Updated 5 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.