Whirlpool is the Victim of Nefilim Ransomware Attack

 Major appliance manufacturer Whirlpool announced in December that in November 2020 that they were the victim of ransomware. The culprits (cyber gang Nefilim) took credit for the scheme and admitted to exfiltrating company data and later threatened to leak it on the dark web.

What Happened?

In a report issued to Security Media Group, a Whirlpool spokesperson admitted that “Last month Whirlpool Corporation discovered ransomware in our environment. The malware was detected and contained.” They assured customers that the attack and data breach did not contain any consumer information.

However, Whirlpool is being tight-lipped about the impact the ransomware had on its systems and if they paid or how they responded. They did say that the ransomware has not affected its operations in any way.

Who is Nefilim?

Cybercriminal gang Nefilim (aka Nephilim) is well known by threat experts such as Emsisoft, who confirmed in late December that the crew posted two files rumored to contain information from the Whirlpool data breach and exfiltration. On December 26, Nefilim posted on their website,

“This leak comes after long negotiations and unwillingness of Whirlpool Corporation executives to uphold the interests of their stakeholders. Whirlpools cybersecurity is very fragile, which allowed us to breach their network for the second time after they stopped the negotiations.”

As of yet, no one knows what information is contained within the two files and how damaging the release of it may be.

According to Data Breach Today, “The Nefilim group is best known for going after organizations that use unpatched or poorly secured Citrix remote-access technology, then stealing data, unleashing crypto-locking malware and using the threat of exfiltrated data being publicly dumped to try to force payment.”

This past June, New Zealand’s CERT issued warnings about this particular hacker group and the dangers posed to businesses using Citrix. In their announcement, they said;

“We are aware of attackers accessing organizations’ networks through remote access systems, such as remote desktop protocol and virtual private networks, as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organizations not using multi factor authentication as an extra layer of security, or a remote access system that isn’t patched.”

Data Breach Today warns organizations that if you are hit by Nefilim, you will see:

• “Files with a .NEPHILIM extension.
• A file called NEPHILIM-DECRYPT.txt may be placed on affected systems.
• Batch files created in C:WindowsTemp.”

Double Extortion is the New Game

The new trend among cybercriminals is not just to encrypt company data making it unusable and demanding ransom. Now, hackers like Nefilim are using a two-pronged approach, and before encrypting the data, they exfiltrate it all to their own servers and threaten to leak it for additional gain or expose it to embarrass or damage the company’s reputation. 

This double extortion technique is being used by all major hacker gangs and started with Maze in 2019, and has been seen in recent use by Ryuk, REvil, and DoppelPaymer, and Netwalker. 

What Can Companies Like Whirlpool Do?

The biggest failing among companies like Whirlpool is to ignore the threat until it stops at their door. Using outdated Citrix components or other services and hardware is inexcusable.

Organizations like Whirlpool must make cybersecurity as number 1 priority. They should start by performing a complete cybersecurity audit looking for vulnerabilities like buggy software and insecure network practices. Threat experts recommend hiring a specialized team to do an independent evaluation and then making an investment in upgrades and changes to better secure their infrastructure and network model. Additionally, they should install network monitoring capabilities and alerts to detect any unwanted intrusions by threat actors.