Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime
Whirlpool Hit With Ransomware Attack
Nefilim Ransomware Gang Takes Responsibility, Posts Allegedly Stolen DataThe major appliances giant Whirlpool acknowledges it was hit with a ransomware attack in November, with the cyber gang Nefilim taking responsibility for the cyber incident and claiming to have stolen company data.
See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks
"Last month Whirlpool Corporation discovered ransomware in our environment. The malware was detected and contained," a company spokesperson tells Information Security Media Group.
Whirlpool says it is unaware of any consumer information being exposed because of the attack and that the ransomware is not causing any operational difficulties at this time. The company gave no information on the attack's impact upon its systems and operations when it initially took place.
The ransomware gang Nefilim – aka Nephilim - has taken responsibility for the attack. Emsisoft threat analyst Brett Callow confirms to ISMG that the cyber gang has posted two files to its wall-of-shame news site with information it claims is from Whirlpool.
"This leak comes after long negotiations and unwillingness of executives of Whirlpool Corporation to uphold the interests of their stakeholders. Whirlpools [sic] cybersecurity is very fragile, which allowed us to breach their network for the second time after they stopped the negotiations," Nefilim writes in a post on its site dated Dec. 26.
The ransomware gang did not indicate what type of information it is leaking.
Whirlpool did not reveal any information regarding more than one ransomware attack.
Nefilim's History
The Nefilim group is best known for going after organizations that use unpatched or poorly secured Citrix remote-access technology, then stealing data, unleashing crypto-locking malware and using the threat of exfiltrated data being publicly dumped to try to force payment (see: Nefilim Ransomware Gang Tied to Citrix Gateway Hacks ).
In June, New Zealand's CERT issued a warning specifically citing Nefilim's activity and detailed how it conducts an attack.
"We are aware of attackers accessing organizations' networks through remote access systems, such as remote desktop protocol and virtual private networks, as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organizations not using multifactor authentication as an extra layer of security, or a remote access system that isn't patched." NZ CERT said.
The agency said organizations hit with a typical Nefilim attack will see:
- Files with a .NEFILIM extension;
- A file called NEFILIM-DECRYPT.txt may be placed on affected systems;
- Batch files created in C:WindowsTemp.
Extortion Tactics
The double-extortion tactic preferred by Nefilim became a mainstream tool among many ransomware gangs in 2020. The methodology, started by the now supposedly defunct Maze gang in 2019, is now used by Ryuk, REvil/Sodinokibi, Netwalker and DoppelPaymer (Ransomware 2020: A Year of Many Changes).
"This 'monkey see, monkey do' approach has been extremely common in 2020, with threat actors constantly seeking to expand their offensive toolkit by mimicking successful techniques employed by other criminal groups," says Stefano De Blasi, threat researcher at Digital Shadows.