Get Permission The operators of the Nefilim ransomware used the credentials of a deceased system administrator to plant their crypto-locking malware in about 100 vulnerable systems during one attack, according to a recent report published by security firm Sophos. Nefilim, which is also known as Nemty, is a relatively new ransomware variant; its operators target organizations with unpatched or poorly secured Citrix remote access technology. In December 2020, the ransomware was tied to an attack that targeted appliance maker Whirlpool (see: The criminal gang's use of the credentials that belonged to a deceased system administrator caught the attention of the Sophos researchers.