Introduction
JSWorm is a ransomware family that first appeared in May 2019 and is notable for undergoing multiple rebrands and evolutions, later appearing under names such as Nemty, Nefilim, Offwhite, Fusion, and Milihpen. Initially, it was distributed via malicious spam emails containing JavaScript files, hence the “JS” in its name. Later versions moved to targeted intrusions, leveraging compromised RDP services and vulnerable network appliances for initial access. JSWorm encrypts files using AES-256 encryption with RSA-2048 for key protection and appends campaign-specific extensions (e.g., .JSWORM, .Nemty, .Nephilim). The group adopted a double-extortion model in its later stages, stealing data before encryption and threatening to leak it via Tor-hosted sites. Its victimology spans various sectors worldwide, including manufacturing, energy, healthcare, and professional services. The continuous rebranding suggests an effort to evade detection, disrupt attribution, and maintain pressure on victims.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.