Threat Actor Profile
Medium
Cybercriminal
Description
According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'According to Vitali Kremez and Michael Gillespie, this '
'ransomware shares much code with Nemty 2.5. A difference is '
'removal of the RaaS component, which was switched to email '
'communications for payments. Uses AES-128, which is then '
'protected RSA2048.\n',
'firstseen': '2020-05-05T00:00:00+00:00',
'group': 'nefilim',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2021-09-09T23:46:57.082905+00:00',
'locations': [{'available': False,
'fqdn': 'hxt254aygrsziejn.onion',
'slug': 'http://hxt254aygrsziejn.onion',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'hxt254aygrsziejn.onion',
'slug': 'http://hxt254aygrsziejn.onion',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'nefilim',
'tools': {},
'url': 'https://www.ransomware.live/group/nefilim',
'victims': 15,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [],
'url': 'https://www.ransomware.live/group/nefilim',
'victims': 15,
'vulnerabilities': []}