SentinelOne vs NetFilm Ransomware

Netfilim, which shares a substantial amount of code with Nemty, first appeared in February 2020. The primary delivery vector appears to be via RDP (compromised / exposed Remote Desktop services) | By Jim Walter.
Similar to #Maze, #REvil, and DoppelPaymer, the attackers threaten to release the data of their victims if they do not cooperate with the ransom demands. Upon encryption, the NEFILIM extension is added to affected files, along with embedding the string as a marker. Files are encrypted via AES-128. The encryption key is subsequently encrypted via an RSA-2048 public key which is embedded into the malicious executable. Victims are instructed to contact the attackers via email (addresses are in the ransom notes), as opposed to a web-based payment portal.