Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Whirlpool Hit With Ransomware Attack

Nefilim Ransomware Gang Takes Responsibility, Posts Allegedly Stolen Data
Whirlpool Hit With Ransomware Attack

The major appliances giant Whirlpool acknowledges it was hit with a ransomware attack in November, with the cyber gang Nefilim taking responsibility for the cyber incident and claiming to have stolen company data.

See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework

"Last month Whirlpool Corporation discovered ransomware in our environment. The malware was detected and contained," a company spokesperson tells Information Security Media Group.

Whirlpool says it is unaware of any consumer information being exposed because of the attack and that the ransomware is not causing any operational difficulties at this time. The company gave no information on the attack's impact upon its systems and operations when it initially took place.

The ransomware gang Nefilim – aka Nephilim - has taken responsibility for the attack. Emsisoft threat analyst Brett Callow confirms to ISMG that the cyber gang has posted two files to its wall-of-shame news site with information it claims is from Whirlpool.

"This leak comes after long negotiations and unwillingness of executives of Whirlpool Corporation to uphold the interests of their stakeholders. Whirlpools [sic] cybersecurity is very fragile, which allowed us to breach their network for the second time after they stopped the negotiations," Nefilim writes in a post on its site dated Dec. 26.

Nefilim's public posting of its attack

The ransomware gang did not indicate what type of information it is leaking.

Whirlpool did not reveal any information regarding more than one ransomware attack.

Nefilim's History

The Nefilim group is best known for going after organizations that use unpatched or poorly secured Citrix remote-access technology, then stealing data, unleashing crypto-locking malware and using the threat of exfiltrated data being publicly dumped to try to force payment (see: Nefilim Ransomware Gang Tied to Citrix Gateway Hacks ).

In June, New Zealand's CERT issued a warning specifically citing Nefilim's activity and detailed how it conducts an attack.

"We are aware of attackers accessing organizations' networks through remote access systems, such as remote desktop protocol and virtual private networks, as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organizations not using multifactor authentication as an extra layer of security, or a remote access system that isn't patched." NZ CERT said.

The agency said organizations hit with a typical Nefilim attack will see:

  • Files with a .NEFILIM extension;
  • A file called NEFILIM-DECRYPT.txt may be placed on affected systems;
  • Batch files created in C:WindowsTemp.

Extortion Tactics

The double-extortion tactic preferred by Nefilim became a mainstream tool among many ransomware gangs in 2020. The methodology, started by the now supposedly defunct Maze gang in 2019, is now used by Ryuk, REvil/Sodinokibi, Netwalker and DoppelPaymer (Ransomware 2020: A Year of Many Changes).

"This 'monkey see, monkey do' approach has been extremely common in 2020, with threat actors constantly seeking to expand their offensive toolkit by mimicking successful techniques employed by other criminal groups," says Stefano De Blasi, threat researcher at Digital Shadows.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.