Whirlpool hit by Nefilim ransomware attack

 

 

Whirlpool hit by Nefilim ransomware attack
 


Whirlpool is one of the world's largest home application makers with appliances under its name and KitchenAid, Maytag, Brastemp, Consul, Hotpoint, Indesit, and Bauknecht. Whirlpool employs 77,000 people at 59 manufacturing & technology research centers worldwide and generated approximately $20 billion in revenue for 2019.The leaked data included documents related to employee benefits, accommodation requests, medical information requests, background checks, and more.

Nefilim is a ransomware known to encrypt files on a compromised system and appends the file extension .NEF1LIM to the files it encrypts.
A ransom note named NEF1LIM-DECRYPT.txt is dropped to the directory of every file it encrypts.The ransom note informs the victims that their data has been stolen and if the perpetrators are not contacted, the data will be leaked.
Upon execution, the analyzed variant behaves like typical variants of the ransomware and appends the file extension .NEF1LIM to encrypted files. The ransom note NEF1LIM-DECRYPT.txt is dropped to the directory of every file it encrypts.

Indicators of Compromise

File Hash

8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b
b8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e
3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953
7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377
b227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17
3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5
353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5
5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea
35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f
7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599
08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641
D4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3
fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020
fd3c8be2d1ead92101e8909a85695a0a40c2576c87eefeef6d32376a7fe22f1c
eacbf729bb96cf2eddac62806a555309d08a705f6084dd98c7cf93503927c34f
205ddcd3469193139e4b93c8f76ed6bdbbf5108e7bcd51b48753c22ee6202765
5da71f76b9caea411658b43370af339ca20d419670c755b9c1bfc263b78f07f1
fdaefa45c8679a161c6590b8f5bb735c12c9768172f81c930bb68c93a53002f7
f51f128bca4dc6b0aa2355907998758a2e3ac808f14c30eb0b0902f71b04e3d5
ee9ea85d37aa3a6bdc49a6edf39403d041f2155d724bd0659e6884746ea3a250
4595cdd47b63a4ae256ed22590311f388bc7a2d8
1f594456d88591d3a88e1cdd4e93c6c4e59b746c
6c9ae388fa5d723a458de0d2bea3eb63bc921af7
9770fb41be1af0e8c9e1a69b8f92f2a3a5ca9b1a
e99460b4e8759909d3bd4e385d7e3f9b67aa1242
e53d4b589f5c5ef6afd23299550f70c69bc2fe1c
c61f2cdb0faf31120e33e023b7b923b01bc97fbf
0d339d08a546591aab246f3cf799f3e2aaee3889
bbcb2354ef001f476025635741a6caa00818cbe7
2483dc7273b8004ecc0403fbb25d8972470c4ee4
d87847810db8af546698e47653452dcd089c113e
E94089137a41fd95c790f88cc9b57c2b4d5625ba
Bd59d7c734ca2f9cbaf7f12bc851f7dce94955d4
f246984193c927414e543d936d1fb643a2dff77b
053ec539c138afb99054bd362bb3ed71
26c35850483c877ee23f476b38d58deb
70e4b9b7a83473687e5784489d556c87
dfd4dbfd7cbd6179fc371e5f887f189c
659c4b68f2027905def1af9249feebb3
5ff20e2b723edb2d0fb27df4fc2c4468
0790a7e0a842e1de70de194054fa11b3
3beb3d466bcc0977ec2dd66d72ab6bb3
80cfda61942eb4e71f286297a1158f48
8f90539c405672016c0dec7ac3574eea
dc88265c361d73540a31c19583271fb0
ddc50d4ae0674d854a845b3eb32508c3
c7d73ff9743fd8abcda7466f70aa3085
ad25b6af563156765025bf92c32df090
86e048d2eae96a817b272a2a7258271c

Comments

Post a Comment

Popular posts from this blog

Revil Ransomware Targeted Kaseya

Image
  Revil Ransomware Targeted Kaseya   REvil is a ransomware-as-a-service (RaaS), delivered by “affiliate” actor groups who are paid by the ransomware’s developers. The REvil actors launched a malicious update package that targeted customers of managed service providers and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform.   Indicators of Compromise URLs/Domains: architekturbuero-wagner.net mindpackstudios.com vitavia.lt bouncingbonanza.com lukeshepley.wordpress.com igfap.com bockamp.com levihotelspa.fi exenberger.at tinyagency.com familypark40.com alfa-stroy72.com boompinoy.com mdacares.com architecturalfiberglass.org slupetzky.at sinal.org qualitus.com deepsouthclothingcompany.com groupe-frayssinet.fr synlab.lt kamienny-dywan24.pl ilcdover.com humancondition.co...
Read more

Buer Loader provides malware-as-a-service

Image
  Buer Loader provides malware-as-a-service       Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader. “A new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). Indicators of Compromise File Hashes 10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1 32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5 5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4   6c7f43434e5db8703c0a47dedeeab976159d8704bfb...
Read more

BANDOOK(RAT)

Image
    BANDOOK(RAT)-Malware   The payload in this attack is a variant of an old full-featured RAT named Bandook. Written in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially available RAT that was developed by a Lebanese individual nicknamed PrinceAli.Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server sends basic information about the infected machine and waits for additional commands from the server. Indicators of Compromise File Hash MD5 27f8d8bbbeeda5fc439ee18d9d4da343 44584c8d010242fddb44afe5ce860872 a6501c62b3a6ffa8d028a88138fe509f 7c15ee5b9a12dacaace8fb62271f12f1 4e9e12c98cfbc5f3aa3c1345bd063fa0 7ef261c151519e66ec369c63e4b1aed4 6effed1b1bb5e9ed6aafacb075c1d4e2 0475771b8bc3efc28b1834f3add608f3 045ce6679ed4086e2ded58470e24c15a 28ad9ace11919b57bf54...
Read more