March 23, 2020 By David Bisson 3 min read

Last week in security news, researchers observed the Nefilim ransomware family threatening to publish its victims’ data if they did not pay their ransoms within a week. Nefilim wasn’t the only malware that made headlines last week. Ursnif also drew some attention with a new campaign targeting Italy. Additionally, researchers spotted Cookiethief attempting to steal access to its victims’ social media accounts.

Top Story of the Week: Nefilim Threatens to Publish Victims’ Data After 7 Days

Security researchers informed Bleeping Computer that Nefilim first started up in February 2020. Their analysis of the threat determined that Nefilim shared some code with Nemty, another ransomware family. Even so, Nefilim differed from Nemty in that it lacked a ransomware-as-a-service (RaaS) component and told its victims they could receive payment instructions by contacting an email address, not visiting a Tor portal, according to the researchers.

Upon successful infection, Nefilim used AES-128 encryption to render its victims’ data inaccessible. It then dropped a note in which it informed its victims that it would publish their stolen data unless they paid their ransom within a week.

Source: iStock

Also in Security News

  • New Campaign Launched by Ursnif Targets Italy: Researchers at Cybaze-Yoroi Zlab detected a new phishing campaign that leveraged a compromised Italian law-themed website as a DropURL to download a self-extracting archive. This file’s contents ultimately led the campaign to execute a JavaScript module containing an executable responsible for running Ursnif malware.
  • Website for Manufacturer Infected by Magecart Skimmer: Near the end of February, RiskIQ observed that Magecart Group 8 had injected a JavaScript-based skimmer onto the website of a blender manufacturer. The security firm ultimately stopped the attack by taking down the exfiltration domain employed by the threat actors.
  • All Other Stalkerware Dwarfed by MonitorMinor: Kaspersky Lab discovered that MonitorMinor arrived with the ability to run the SuperUser (SU) utility on an infected Android device for the purpose of gaining access to numerous social networking apps and functionality. Running the SU utility also gave MonitorMinor the ability to steal a victim’s screen lock credentials.
  • Social Media Accounts Targeted by Cookiethief Infostealer: Just a day prior to its discovery of MonitorMinor, Kaspersky Lab disclosed its discovery of a new cookie-stealing Android Trojan called Cookiethief. This malware used root privileges to transfer cookies for social networking accounts and browsers, all for the purpose of distributing spam.
  • Security of Intel CPUs Threatened by Snoop Attacks: According to Intel, a software engineer demonstrated that a susceptibility in its processors could enable attackers to insert malicious code after a change in the L1D cache, causing the CPU to update all cache levels. Bad actors could then leverage that technique to produce errors that would leak data from a CPU’s inner memory.
  • Most Ransomware Executed Three Days After First Signs of Malicious Activity: In its analysis of ransomware response investigations between 2017 and 2019, FireEye found that most ransomware infections had occurred at least three days after the first signs of malicious activity appeared. The security firm also found that approximately three-quarters of ransomware infections had occurred outside of normal working hours.

Security Tip of the Week: Strengthen Your Anti-Ransomware Measures

Security professionals can help strengthen their organizations’ anti-ransomware measures by ensuring that they have access to the latest threat intelligence. Doing so will help organizations stay abreast of the latest techniques and attacks employed by ransomware actors. Additionally, infosec personnel should endeavor to inventory the locations of the organization’s critical business assets so they can craft defensive strategies accordingly.

More from

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today