- Home
Detectable Ransomware Nefilim
Ransomware Research
Nefilim Ransomware
Nefilim is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on March 1, 2020, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Nefilim, Nefilim Doxware, Nephilim, Offwhite, Sigareta, Telegram, Nef1lim, Mefilin, Trapget, Merin, Fusion, Infection, Milihpen, Derzko, Gangbang, Kiano, Mansory.
Quick Facts
- Ransomware Family
- Nefilim
- First Seen
- March 1, 2020
- Known Aliases
- NefilimNefilim DoxwareNephilimOffwhiteSigaretaTelegramNef1limMefilinTrapgetMerinFusionInfectionMilihpenDerzkoGangbangKianoMansory
How Nefilim Ransomware Works
File Encryption Patterns
Nefilim modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..NEFILIM
..NEPHILIM
..OFFWHITE
..SIGARETA
..TELEGRAM
..NEF1LIM
..MEFILIN
..TRAPGET
..MERIN
..FUSION
..INFECTION
..MILIHPEN
..DERZKO
..GANGBANG
..BENTLEY
..KIANO
..MANSORY
..f1
..LEAKS
..PUSSY
Ransom Note and Payment Demands
After encrypting files, Nefilim displays ransom notes demanding payment for file recovery:
NEFILIM-DECRYPT.txt
Ransom message:
notes/NEFILIM-DECRYPT.txt
Note locations:
EveryFolder
NEPHILIM-DECRYPT.txt
Ransom message:
notes/NEPHILIM-DECRYPT.txt
Note locations:
EveryFolder
OFFWHITE-MANUAL.txt
Ransom message:
notes/OFFWHITE-MANUAL.txt
Note locations:
EveryFolder
SIGARETA-RESTORE.txt
Ransom message:
notes/SIGARETA-RESTORE.txt
Note locations:
EveryFolder
TELEGRAM-RECOVER.txt
Ransom message:
notes/TELEGRAM-RECOVER.txt
Note locations:
EveryFolder
NEF1LIM-DECRYPT.txt
Ransom message:
notes/NEF1LIM-DECRYPT.txt
Note locations:
EveryFolder
MEFILIN-README.txt
TRAPGET-INSTRUCTION.txt
Ransom message:
notes/TRAPGET-INSTRUCTION.txt
Note locations:
EveryFolder
MERIN-DECRYPTING.txt
Ransom message:
notes/MERIN-DECRYPTING.txt
Note locations:
EveryFolder
FUSION-README.txt
Ransom message:
notes/FUSION-README.txt
Note locations:
EveryFolder
INFECTION-HELP.txt
MILIHPEN-INSTRUCT.txt
Ransom message:
notes/MILIHPEN-INSTRUCT.txt
Note locations:
EveryFolder
DERZKO-HELP.txt
GANGBANG-NOTE.txt
BENTLEY-HELP.txt
NEFILIM-HELP.txt
KIANO-HELP.txt
MANSORY-MESSAGE.txt
f1-HELP.txt
LEAKS!!!DANGER.txt
PUSSY!!!DANGER.txt
Technical Indicators
Associated Executable Files
The following executable files are associated with Nefilim ransomware:
2.exe
1.exe
nelifis.exe
kinodomino.exe
JISFMU5GNZSHLnG.exe
weeli.exe
FB_21B3.tmp.exe
sync.bad
winnit.bin
red.eze
spt.exe
tel.exe
alt.exe
happynewyear.exe
aes.exe
scc-2.exe
mma.exe
spt(1).bin
xxx.exe
sync.bad.exe
look (uploaded by Matt Browning (via weblink) Sep 22 2020 11-03-47 UTC).exe
Elastio Can Help You
Don't let Nefilim ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Nefilim ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Nefilim.
Last updated: July 30, 2025