{"id":42122,"date":"2021-06-28T00:00:00","date_gmt":"2021-06-28T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/f\/nefilim-modern-ransomware-attack-story.html"},"modified":"2021-06-28T00:00:00","modified_gmt":"2021-06-28T00:00:00","slug":"nefilim-ransomware-attack-through-a-mitre-attck-lens","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/","title":{"rendered":"Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/f\/nefilim-modern-ransomware-attack-story\/nefilim-modern-ransom-v2_\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/f\/nefilim-modern-ransomware-attack-story\/nefilim-modern-ransom-v2_\" class=\"ff-og-image-inserted\"><\/div>\n<p>Nefilim is among a new breed of ransomware families that use advanced techniques for a more targeted and virulent attack. It is operated by a group that we track under the intrusion set &#8220;Water Roc&#8221;. This group combines advanced techniques with&nbsp;<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/stop-ransomware-groups-who-weaponize-legitimate-tools.html\">legitimate tools<\/a> to make them significantly harder to detect and respond before it is too late.<\/p>\n<p>This allows them to remain undetected in the system for weeks, navigating across the environment to maximize their damage. Before the attack is even initiated, deep victim profiling is done, allowing them to use victim-specific extortion pricing to tailor the ransom.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/b\/nefilim-ransomware.html\">Nefilim<\/a> is a Ransomware as a Service(RaaS) operation first discovered in <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/cybercrime-and-digital-threats\/nefilim-ransomware-threatens-to-expose-stolen-data\" target=\"_blank\" rel=\"noopener\">March 2020<\/a>,&nbsp;and believed to have evolved from the earlier Nemty ransomware family. They target multi-billion dollar companies, primarily based in North or South America, in the financial, manufacturing or transportation industries. They operate under a profit share model, where Nefilim earns 30% for their ransomware service, and the remaining 70% goes to the affiliates who provide the network access and implements the active phase of the attack.<\/p>\n<p>Like all ransomware, recovery is dependent on an external backup drive or paying for the encryption key, as Nefilim ransomware replaces the original files with encrypted versions.<\/p>\n<p>Along with a new wave of <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/definition\/ransomware#Ransomware_Evolved_Modern_Ransomware\" target=\"_blank\" rel=\"noopener\">double extortion<\/a> ransomware families, Nefilim affiliates are particularly vicious when victims don\u2019t immediately pay the ransom, leaking their sensitive data over an extended period of time. They are one of few groups that host leaked victim data long-term, for months to years, using it to deliver a chilling message to future victims.<\/p>\n<p>The following is a fictional use case built using an in-depth <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/cybercrime-and-digital-threats\/modern-ransomwares-double-extortion-tactics-and-how-to-protect-enterprises-against-them\" target=\"_blank\" rel=\"noopener\">case study of the Nefilim ransomware family<\/a> to demonstrate how their typical attack process occurs. The story leverages the <a href=\"https:\/\/attack.mitre.org\/techniques\/enterprise\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;CK Framework<\/a> to define each tactic and technique used, with a detailed table below for further technical information.<\/p>\n<p><span class=\"body-subhead-title\">Victim Use Case of Nefilim<\/span><\/p>\n<p>Meet Company X, a fictional company serving the purpose of being the victim of a typical Nefilim ransomware attack. Company X is a global manufacturing organization with a yearly revenue of US$1 Billion and headquartered in North America, making them an ideal target of Nefilim.<\/p>\n<p><span class=\"body-subhead-title\">Infiltrating the Environment<\/span><\/p>\n<p>During their active vulnerability scanning (T1595.002) of Company X\u2019s internet facing hosts, the adversaries find that X has not patched a Citrix Application Delivery Controller vulnerability (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-19781\" target=\"_blank\" rel=\"noopener\">CVE-2019-19781<\/a>). This is a vulnerability they can exploit to gain initial access (T1133) through the exposed Remote Desktop Protocol (RDP), and so the attack begins!<\/p>\n<p>X\u2019s security team should have maintained an inventory of their exposed services across their environment, periodically scanning for vulnerabilities so they can proactively mitigate any potential inroads to their network. Internet-facing systems such as Citrix should always be a patching priority and managed with strong access controls. Access can be limited with a least-privileged administrative model and a strong multifactor authentication system (M1032) to strengthen account security and prevent credential access. If the RDP is unnecessary, which may be why it was left unpatched, then it should be disabled or blocked (M1042). Network proxies, gateways, and firewalls can also be leveraged to deny direct remote access to the internal system, blocking the inroad by which the adversaries are entering.&nbsp;<\/p>\n<p>Intrusion Prevention Systems (IPS) can provide an additional layer of protection in advance of patch availability or patch deployment, which is particularly important with preventing targeted ransomware attacks, such as this one. IPS logs also provide relevant information for detecting initial access activities.<\/p>\n<p>Once the actors have successfully infiltrated X\u2019s network, they begin downloading the additional tools they will need to further their plot (T1608). They download a Cobalt Strike beacon to establish a backdoor and persistent access to the environment so they can remotely execute commands, and later exfiltrate the data. This beacon is connected back to one of their pre-established shell companies that hosts their Cobalt Strike Command and Control (C&amp;C) server. They also download Process Hacker to stop endpoint security agents (T1489), and Mimikatz to dump credentials (T1003.001), along with other tools they will need throughout their attack.<\/p>\n<p>The adversaries need elevated permissions to run certain tools as administrators. They take advantage of another unpatched vulnerability in X\u2019s system (T1068), a Windows COM Elevation of Privilege Vulnerability (<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2017-0213\" target=\"_blank\" rel=\"noopener\">CVE-2017-0213<\/a>). Armed with elevated permissions and credentials courtesy of Mimikatz, they are ready to continue their invasion.<\/p>\n<p>The use of multiple vulnerabilities that were disclosed several years ago is a reminder of the importance of timely software updating (M1051) and patch management. A threat intelligence program can be developed to help identify what software exploits and N-day vulnerabilities may have the most impact on an organization (M1019). Virtual patching programs can enhance existing patch management processes to further defend against known and unknown vulnerabilities. Application isolation and sandboxing can also be used to mitigate the impact of advisories taking advantage of unpatched vulnerabilities (M1048). Ultimately, an organization needs good application security that looks for and detects exploitation behavior.<\/p>\n<p>Mimikatz is a popular tool used for credential dumping of plaintext passwords, hashes, Kerberos tickets and other sensitive data from memory. It can also be used to gain access to other systems within the network through a pass-the-hash attack (T1550). However, Mimikatz has no major legitimate use that would explain admins having it on their system, so this tool should be treated as suspicious in most cases.<\/p>\n<p>Mitigations can be established through strict account management and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/security-best-practices\/audit-policy-recommendations\" target=\"_blank\" rel=\"noopener\">Active Directory Audit Policies<\/a>.&nbsp;Enforcing the least-privileged administrative Model (M1018) and limiting credential overlap (M1026) across systems helps to further prevent compromised credential enabling lateral movement.<\/p>\n<p><span class=\"body-subhead-title\">Completing the Invasion<\/span><\/p>\n<p>The attackers take advantage of tools that already exist in the system to move laterally and expand their invasion (T1570). They use PsExec to launch taskkill to stop services that could alert X\u2019s security team, and to stop backup services (T1489). AdFind gives them vital information about the active directory setup which they use to map out X\u2019s infrastructure and find other targets of interest (T1018). Over time, they move throughout X\u2019s entire environment, including peripheral devices (T1120) and shared drives (T1135), identifying all the valuable data (T1083), and then using PowerShell commands, they strategically drop Cobalt Strike beacons in specific systems important to their attack as they go.<\/p>\n<p>Network intrusion detection and prevention systems (M1031) are critical to mitigate adversary activity after initial access at the network level. These systems can help security teams see that they\u2019ve been breached and track the attacker\u2019s activities with sensors at the network, cloud, and endpoint\/server layers. Network segmentation and micro segmentation can help to inhibit lateral movement and support security monitoring.<\/p>\n<p><span class=\"body-subhead-title\">Exfiltration for Encryption<\/span><\/p>\n<p>The attackers use automated exfiltration (T1020) with their existing C&amp;C channels established with the Cobalt Strike beacons set up across X\u2019s environment (T1041). The sensitive data is stolen using file transfer protocols (FTP) in fixed size chucks to avoid triggering network data transfer threshold alerts (T1030). For any large files, they use mega.nz to callback the data over the legitimate web service (T1567).<\/p>\n<p>To prevent the exfiltration of data, web-based content can be restricted (M1021) and network traffic can be filtered (M1037). Any suspicious DNS, HTTP and HTTPS connections should be monitored or blocked entirely. AV software should also be kept up-to-date with machine learning plug-ins. As a rule of thumb, it is important to block any traffic to a Cobalt Strike C&amp;C server, however since Cobalt Strike is designed to evade security measures, a multilayer approach is needed for this to be effective.<\/p>\n<p><span class=\"body-subhead-title\">Execution of Ransomware<\/span><\/p>\n<p>After a few weeks, the attackers are satisfied that they have identified all valuable data within X\u2019s environment. They wait until a weekend to help ensure they remain undetected, and then they deploy the Nefilim ransomware on X\u2019s network. The ransom note is prepared for decryption, then Nefilim imports an RSA-2048 public key and leaves it ready to use for encryption. The Nefilim payload is executed with a command-line argument (T1059) containing the full path of directory with the files identified to be encrypted. All of X\u2019s logical drives are encrypted, and a decrypted ransom note named \u201cNEFILIM-DECRYPT.txt\u201d&nbsp;is written for each one.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/f\/nefilim-modern-ransomware-attack-story.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow the story of Company X as they suffer an attack from the notorious modern ransomware family, Nefilim, and their affiliates, to learn how you can better mitigate against the common tactic and techniques used in these attacks. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":42123,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9511,9508,9523,9539,9509],"class_list":["post-42122","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-network","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-28T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nefilim-ransomware-attack-through-a-mitre-attck-lens.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"641\" \/>\n\t<meta property=\"og:image:height\" content=\"350\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens\",\"datePublished\":\"2021-06-28T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/\"},\"wordCount\":1392,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nefilim-ransomware-attack-through-a-mitre-attck-lens.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Network\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/\",\"name\":\"Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nefilim-ransomware-attack-through-a-mitre-attck-lens.jpg\",\"datePublished\":\"2021-06-28T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nefilim-ransomware-attack-through-a-mitre-attck-lens.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nefilim-ransomware-attack-through-a-mitre-attck-lens.jpg\",\"width\":641,\"height\":350},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/","og_locale":"en_US","og_type":"article","og_title":"Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-06-28T00:00:00+00:00","og_image":[{"width":641,"height":350,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nefilim-ransomware-attack-through-a-mitre-attck-lens.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens","datePublished":"2021-06-28T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/"},"wordCount":1392,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nefilim-ransomware-attack-through-a-mitre-attck-lens.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Network","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/","url":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/","name":"Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nefilim-ransomware-attack-through-a-mitre-attck-lens.jpg","datePublished":"2021-06-28T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nefilim-ransomware-attack-through-a-mitre-attck-lens.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nefilim-ransomware-attack-through-a-mitre-attck-lens.jpg","width":641,"height":350},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/nefilim-ransomware-attack-through-a-mitre-attck-lens\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Nefilim Ransomware Attack Through a MITRE Att&amp;ck Lens"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42122"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42122\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42123"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}