Menu
Browse

Cyber Threat Actor: Nefilim

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
13 incidents
Profile

Nefilim, also known as Nemty or Nefilim operators, is a ransomware threat group active since at least 2020. The group employs a double-extortion model, exfiltrating sensitive data before encrypting victim systems and threatening public leaks to coerce ransom payments. Their operations consistently target large organizations across multiple sectors, including aviation (Spirit Airlines), healthcare (Atlanta Allergy & Asthma), manufacturing (Whirlpool), energy (SPIE Group), and media (Madsack Media Group). Geographic targeting appears opportunistic, with confirmed victims spanning Germany, the United States, France, Italy, and China. Financial gain remains their primary objective, evidenced by systematic data theft and ransom demands paired with countdown timers on leak sites.

The group utilizes the Nefilim ransomware variant and maintains dedicated dark web leak sites to publish stolen data. Initial access vectors include exploiting vulnerable internet-facing systems, with confirmed cases involving Citrix CVE-2019-19781 vulnerabilities (Luxottica) and suspected phishing campaigns. Post-compromise, they exfiltrate substantial data volumes—ranging from 11.5 GB at SPIE Group to 200 GB at Dussmann Group subsidiary DKA—before deploying encryption. Leaked data samples frequently contain sensitive operational documents, financial records, intellectual property (e.g., Orange's aircraft schematics), and personally identifiable information, strategically selected to maximize victim pressure. Notable operations include the 2021 attack on Spirit Airlines, where over 40GB of passenger financial records were leaked, and the 2020 breach of Orange Business Services, which exposed proprietary data from 20 enterprise clients. The group demonstrates consistent tradecraft in data staging, often releasing initial samples before escalating leaks, as seen in their Atlanta Allergy & Asthma attack where 1.3GB of patient health data preceded threats to release 19GB more. While no state affiliation is documented, their criminal business model aligns with ransomware-as-a-service ecosystems.

Incidents
Attributed incidents available to members
13 incidents
Sources
Sources available to members
52 sources