Security News > 2021 > June > Risk and reward: Nefilim ransomware gang mainly targets fewer, richer companies and that strategy is paying off, warns Trend Micro
The Nefilim ransomware gang might not be the best known or most prolific online extortion crew but their penchant for attacking small numbers of $1bn+ turnover firms is paying off, according tot he latest research.
"Of the 16 ransomware groups studied from March 2020 to January 2021, Conti, Doppelpaymer, Egregor and REvil led the way in terms of number of victims exposed - and Cl0p had the most stolen data hosted online at 5TB. However, with its ruthless focus on organizations posting more than $1bn in revenue, Nefilim extorted the highest median revenue," said Trend Micro in a report released on Tuesday.
Nefilim is, according to Trend, a ransomware gang that was first observed in late 2019, with actual attacks being seen in March 2020 - just as the COVID-19 pandemic drove the entire world online and to remote working.
Despite targeting big businesses, Nefilim's access methods were just the same as the ones constantly warned about by the infosec industry, said Trend Micro, explaining: "In the case of Nefilim ransomware attacks, our investigations uncovered the use of exposed RDP services and publicly available exploits to gain initial access - namely, a vulnerability in the Citrix Application Delivery Controller."
Trend also referred to previous research from Digital Shadows on so-called initial access brokers, essential actors in the ransomware business chain who make the first break into a target's networks before selling that illicit access to other criminal organisations.
Trend Micro research veep Bharat Mistry told The Register that ransomware gangs' business models are just as developed as anything in the western IT market with different elements of attacks being carried out by different groups of criminals.