Netfilim hackers release sensitive data of Indian Oil firm

A cyber criminal group known for its Nefilim (Netfilim) ransomware is continuing to target energy companies and has published an array of sensitive data belonging to India’s largest offshore drilling company Aban Offshore this week.

The breach, confirmed by cybersecurity firm, Cyble, contains more than 250 employees’ passports and confidential data about the company and its contractors.

The number of firms held for ransom by ransomware hackers is growing at a steady rate. With the rising sun comes new threats as more companies’ data get compromised and sold without second thoughts.

Trend Micro remarked in a security blog, “Nefilim’s code shares many notable similarities with Nemty 2.5 ransomware; the main difference is  that Nefilim has done away with the Ransomware-as-a-Service (RaaS) component. It also manages payments via email communication rather than through a Tor payment site.”

The threat actors set up the ransomware ensuring, the need for RSA private key to decrypt the encrypted files. File enccryption uses AES-128 encryption, after which the data are tagged with the “Netfilim” string.

Netfilim Operator’s Campaign in Full Swing

The attacks are random and aimed firms from diverse sectors. Australian-based logistics behemoth Toll Group was also a victim of the campaign in May which successfully breached a Toll Group server. The firm held its stand and refused to “settle” with the group.

While speaking about the breach back in May, the Toll Group had this to say, “after detecting this attack; we shut down our IT systems to mitigate the risk of further infection. Toll has refused to engage with the attacker’s ransom demands; which is consistent with the advice of cybersecurity experts and government authorities. Our ongoing investigations have established that the attacker has accessed at least one specific corporate server. This server contains information about past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers. The server in question was not designed or developed as a repository for customer operational data.” The firm’s “key online systems” are gradually being restored. Noting the refusal by Toll Group, the hackers went ahead and released cached data on the dark web.

With the daily compromise of security systems; precautionary steps are advisable to guarantee that the hackers gain no access to networks. The U.K cybersecurity firm, NCSC, took the initiative and updated its “guidance”. Prompted by the numerous incidents where ransomware has not only encrypted the original data on-disk but also connected USB, and network storage drives holding data backups.

So far, damages to systems have been irreversible.