Who is Nefilim
The Nefilim cybercriminal gang started its ransomware operations in the early days of the Covid-19 pandemic. The gang, whose name recalls the mysterious giant beings in the Hebrew Bible called Nephilim, quickly came to the attention of cybersecurity experts. This is because it was one of the first ransomware groups to use the double extortion technique introduced by Maze. Unlike the other ransomware groups, however, the Nefilim gang only gives its victims 7 days to pay the ransom. If the ransom is not paid within 7 days, the gang starts publishing victims’ stolen data online. Although the Nefilim ransomware group is considered relatively inactive, when it does strike, its targets are always large well-known organizations. The group had been inactive for some months before the strike on Whirlpool. Other high-profile victims include global deliveries firm Toll Group, which was attacked in February 2020. And eyewear manufacturer Luxottica, which owns the brands Ray-Ban and Oakley. Others include India’s largest offshore drilling service provider, Aban Offshore Limited, French multinational telecommunications company Orange S.A. and the German Dussmann Group, one of the largest private worldwide multiservice providers.
How was the Ransomware Attack Conducted?
Not much is known yet as to how the cybercriminals infiltrated Whirlpool’s systems to conduct its ransomware attack. Even the date of the attack is in question. A source states that the attack occurred in the first week of December. However, according to a statement provided to BleepingComputer by Whirlpool, the breach occurred in November. “Last month Whirlpool Corporation discovered ransomware in our environment,” Whirlpool’s statement says. Nonetheless, one thing is certain. The Nefilim ransomware group began publishing stolen Whirlpool corporate data on the dark web over the weekend for non-payment. As Whirlpool did not pay the ransom demanded by the cybercriminals on time, they published two example data files online.
Whirlpool’s Corporate Data Stolen
The Nefilim ransomware group, stole Whirlpool’s data before infecting it with the file encrypting Nefilim malware. Amongst the data stolen were two files the group published on its leak site on the weekend. One of the leaked files listed all Whirlpool files and folders compromised by the gang during the attack. The other leaked file was an archive file. This file contained sensitive employee data including benefit details, medical information requests and accommodation requests, as well as background checks. However, this is not all. The ransom note left behind by the cybercriminals claims that they stole gigabytes worth of data “deemed valuable or sensitive”. Nonetheless, Whirlpool asserts that no consumer data was stolen. The company says in its statement: “The malware was detected and contained quickly. We are unaware of any consumer information that was exposed. There is no operational impact at this time.” Whirlpool also affirms that all affected systems have been fully restored.
Not the First Breach
This is not the first time that Whirlpool has been breached. In October 2019, Whirlpool left a customer database exposed online, providing access to anyone with a browser. The unsecured database contained 28.1 million records including customer email addresses, appliance model numbers bought by customers and other attributes. The home appliance giant is a very lucrative target for cybercriminal groups. Consequently, it is no wonder that it has found itself in cybercriminals’ firing line multiple times. However, the company should have learnt from their first breach and ensured that their cybersecurity defenses are not “fragile”, as the Nefilim gang asserts. The Fortune 500 company employs over 92,000 people worldwide and generates approximately $20 billion in revenue. Appliances under its name include KitchenAid, Maytag, Brastemp, Consul, Hotpoint, Indesit and Bauknecht, among others.