N3TW0RM Ransomware: Emerges in Wave of Cyberattacks in Israel

 

In a surge of cyberattacks that began last week, a new ransomware group known as 'N3TW0RM' is targeting Israeli companies. 

N3TW0RM, like other ransomware gangs, has set up a data leak platform where they threaten to release stolen files to threaten victims into paying a ransom. At least four Israeli companies and one nonprofit organization were successfully breached in this wave of attacks, according to Israeli news outlet Haaretz. 

Two Israeli companies, H&M Israel and Veritas Logistic have already been mentioned on the ransomware gang's data leak, with the threat actors allegedly leaking data stolen during the Veritas attack. According to Israeli media and BleepingComputer, the ransomware gang has not demanded especially large ransoms in comparison to other enterprise-targeting attacks. Veritas' ransom demand was three bitcoins, or roughly $173,000, as per Haaretz, while another ransom note shared with BleepingComputer indicates a demand of four bitcoins, or roughly $231,000. 

As per the WhatsApp message circulated by Israeli cybersecurity researchers, the N3TW0RM ransomware shares several characteristics with the Pay2Key attacks that took place in November 2020 and February 2021. 

Pay2Key has been linked to the Fox Kitten hacking group, an Iranian nation-state hacking group whose mission was to disrupt and damage Israeli interests rather than collect a ransom payment. At this time, no hacker groups have been linked to the N3TW0RM attacks. 

One source in the Israeli cybersecurity industry told BleepingComputer that N3TW0RM is also being used to sow havoc for Israeli interests as given the low ransom demands and lack of response to negotiations. However, according to Arik Nachmias, CEO of incident response firm Honey Badger Security, the attacks in N3TW0RM's case are motivated by money. 

While encrypting a network, threat actors typically distribute a standalone ransomware executable to each system they want to encrypt but N3TW0RM uses a client-server model. The N3TW0RM threat actors install a programme on a victim's server that will listen for connections from the workstations, thus according to samples [VirusTotal] of the ransomware seen by BleepingComputer and conversations with Nachmias. 

The threat actors then use PAExec to deploy and execute the'slave.exe' client executable on every device that the ransomware will encrypt, according to Nachmias. When encrypting files, the '.n3tw0rm' extension will be appended to their titles. 

According to Nachmias, the server portion would save the keys in a file and then instruct the clients to start encrypting devices. This strategy helps the threat actor to keep all aspects of the ransomware activity inside the victim's network without having to rely on a remote command and control server.

However, it increases the attack's complexity and can allow a victim to recover their decryption keys if all of the files are not deleted after the attack.