Skip Navigation
BlackBerry ThreatVector Blog

Nefilim Ransomware and Mitigating Attacks in the COVID-19 Era

In the past few weeks, both public and private sector organizations in Australia have been aggressively targeted by a series of malicious malware and ransomware attacks. One of the more high-profile attacks used was Nefilim ransomware, which resulted in that company’s data being published on the dark web.

Other recent attacks were specifically designed to bring down critical industries, including health, energy, supply chain, and government services. Unfortunately, it’s clear these threats are ramping up while we are at our most vulnerable. Specifically, while we are working hard to recover from the economic and societal impacts of COVID-19, with large remote workforces and millions of exposed endpoints.

Australia’s Cyber-Battle in a Pandemic Age

The escalating situation has prompted the Department of Foreign Affairs and Trade (DFAT) and the Australian Cyber Security Centre (ACSC) to voice concerns about the rising levels of advanced persistent threat (APT) attacks. The ACSC issued a widely welcomed technical advisory that urges IT departments to use certain measures to mitigate the risk of attacks.

In addition to the well-known Essential Eight strategies recommended by the Australian Signals Directorate (ASD), the ACSC has outlined the tactics, techniques, and procedures (TTPs) that have targeted Australian networks in the past twelve months, mapped against the globally recognised MITRE ATT&CK framework. It strongly recommends that organisations act now by leveraging this framework to ultimately reduce the risk of compromise.

A Closer Look at Nefilim Ransomware

Nefilim is a newer strain of ransomware that recently compromised a prominent supply chain company that will remain undisclosed here. Unfortunately, it was the second time that company fell victim to a ransomware attack in just a few months. In the first attack, it was the well-known Mailto or Netwalker threat. In the second attack, the Nefilim payload appears to have been delivered via Remote Desktop Protocol (RDP) systems that had been left exposed to the Internet.

There are several vulnerabilities in Microsoft’s RDP that can be exploited for easy access, and it is reasonably easy to compromise with brute force (i.e. automated process of trying many usernames and password combinations until one combo works). Microsoft RDP systems are also easy to find with a simple scan for port 3389 across the web.

While we’re unsure of the exact attack pathway, it is clear the attackers were able to find and leverage a vulnerability in order to gain a foothold within the organization’s network to deploy the ransomware. In this case, to devastating effect: destabilizing the company’s operations and exposing corporate data on the dark web.

The Human Factor

So, how does an organization get hit twice? One of my recurring messages (see Ten Signs It’s Time to Review Your Endpoint Protection) is that if you get hit by ransomware and don’t use that experience as a catalyst to change your endpoint protection solution, you will likely get hit again. Another important message, particularly during this mass shift to remote work, is beware of shadow IT.

In the case of the Nefilim ransomware attack in Australia, the RDP systems may have been left exposed by development teams under pressure to spin up new services and bypassing security protocols in the process.

The solution to shadow IT is to reduce the friction of compliance. Provide a lightweight antivirus (AV) agent that works, and employees will use it – not bypass it. Reduce the number of compensating controls for failed legacy AV and embrace end-to-end encryption, and the business will comply.

​​​​​Overall, this Nefilim ransomware attack is an example of familiar attack methods finding success. The incident should serve as a lesson for us all, to:

  • Use cybersecurity incidents as an opportunity to update our endpoint security software.
  • Review shadow IT tactics in our organisation, and ensure best practices are adhered to.
  • Install a lightweight, AI-driven endpoint security solution like BlackBerry® Protect that will help to reduce friction for users, and at the same time, offer a greater level of protection with a preventative approach.

Prevention-First with MITRE ATT&CK and BlackBerry

As organisations continue to tackle new kinds of cybersecurity adversaries, IT and security teams are increasingly taking a prevention-first approach to known and unknown threats – leveraging artificial intelligence (AI) for endpoint protection (EPP), and for endpoint detection and response (EDR).

In line with the ACSC recommendations, BlackBerry is actively helping companies in the private and public sector to shift from a reactive, traditional antivirus methodology to a next-generation, AI-enabled endpoint strategy that effectively detects threats before they happen. Years of experience as a global incident response and AI leader give BlackBerry the ability to prevent sophisticated attack techniques.

Our analysis shows that the BlackBerry Unified Endpoint Security (UES) solution provides coverage for over 90% of the tactics listed in the ACSC advisory. The remaining tactics are unrelated to endpoint security controls; however, the API integration models offered by the BlackBerry Spark® UES Suite help to enhance the wider security ecosystem. The ACSC advisory overlaps with 27 out of 49 tactics recently evaluated by MITRE, which provides true third-party validation of this performance.

The MITRE ATT&CK® APT29 evaluation recently examined EDR solutions for their ability to detect sophisticated tactics and techniques used by a particular threat group, APT29. Overall, it determined that BlackBerry Spark performed extraordinarily well, far surpassing traditional EDR players.

It also determined that BlackBerry’s automation capabilities drastically reduce the need for manual intervention during incident response. BlackBerry Protect, BlackBerry® Optics and BlackBerry® Guard all played a key role in detecting the attacks and providing rich context about the attacks by mapping them to tactics and techniques or providing telemetry.

For more information about how BlackBerry is helping organisations to combat APT group threats and build cyber-resilient organisations, please visit here. There is also a BlackBerry report which specifically examines the systematic targeting of Linux servers, Windows systems, and mobile devices by APT groups for the past decade.

Robert Collins

About Robert Collins

Director of Sales Engineering, BlackBerry