Whirlpool is the Victim of Nefilim Ransomware Attack

Posted on by Dawna M. Roberts in News January 21, 2021

 Major appliance manufacturer Whirlpool announced in December that in November 2020 that they were the victim of ransomware. The culprits (cyber gang Nefilim) took credit for the scheme and admitted to exfiltrating company data and later threatened to leak it on the dark web.

What Happened?

In a report issued to Security Media Group, a Whirlpool spokesperson admitted that “Last month Whirlpool Corporation discovered ransomware in our environment. The malware was detected and contained.” They assured customers that the attack and data breach did not contain any consumer information.

However, Whirlpool is being tight-lipped about the impact the ransomware had on its systems and if they paid or how they responded. They did say that the ransomware has not affected its operations in any way.

Who is Nefilim?

Cybercriminal gang Nefilim (aka Nephilim) is well known by threat experts such as Emsisoft, who confirmed in late December that the crew posted two files rumored to contain information from the Whirlpool data breach and exfiltration. On December 26, Nefilim posted on their website,

“This leak comes after long negotiations and unwillingness of Whirlpool Corporation executives to uphold the interests of their stakeholders. Whirlpools cybersecurity is very fragile, which allowed us to breach their network for the second time after they stopped the negotiations.”

As of yet, no one knows what information is contained within the two files and how damaging the release of it may be.

According to Data Breach Today, “The Nefilim group is best known for going after organizations that use unpatched or poorly secured Citrix remote-access technology, then stealing data, unleashing crypto-locking malware and using the threat of exfiltrated data being publicly dumped to try to force payment.”

This past June, New Zealand’s CERT issued warnings about this particular hacker group and the dangers posed to businesses using Citrix. In their announcement, they said;

“We are aware of attackers accessing organizations’ networks through remote access systems, such as remote desktop protocol and virtual private networks, as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organizations not using multi factor authentication as an extra layer of security, or a remote access system that isn’t patched.”

Data Breach Today warns organizations that if you are hit by Nefilim, you will see:

  • “Files with a .NEPHILIM extension.
  • A file called NEPHILIM-DECRYPT.txt may be placed on affected systems.
  • Batch files created in C:WindowsTemp.

Double Extortion is the New Game

The new trend among cybercriminals is not just to encrypt company data making it unusable and demanding ransom. Now, hackers like Nefilim are using a two-pronged approach, and before encrypting the data, they exfiltrate it all to their own servers and threaten to leak it for additional gain or expose it to embarrass or damage the company’s reputation. 

This double extortion technique is being used by all major hacker gangs and started with Maze in 2019, and has been seen in recent use by Ryuk, REvil, and DoppelPaymer, and Netwalker. 

What Can Companies Like Whirlpool Do?

The biggest failing among companies like Whirlpool is to ignore the threat until it stops at their door. Using outdated Citrix components or other services and hardware is inexcusable.

Organizations like Whirlpool must make cybersecurity as number 1 priority. They should start by performing a complete cybersecurity audit looking for vulnerabilities like buggy software and insecure network practices. Threat experts recommend hiring a specialized team to do an independent evaluation and then making an investment in upgrades and changes to better secure their infrastructure and network model. Additionally, they should install network monitoring capabilities and alerts to detect any unwanted intrusions by threat actors.

Check Your Records For Breaches, Leaks, & Exposures

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s c... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “Alien” is ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the country, ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of the... Read More

Scan Your Records for Breaches, Leaks & Exposures!