N3TW0RM Ransomware Gang Emerges In Israel
A New Ransomware Gang Is Targeting Israeli Companies in a Wave of Cyberattacks.
Israeli media publication Haaretz has reported that more than four Israeli companies and one nonprofit organization have been successfully breached in what seems to be a new wave of ransomware attacks.
The ransomware group called N3TW0RM created a data leak site. Here they are threatening to leak stolen files trying to scare their victims into paying a ransom.
H&M Israel and Veritas Logistic’s networks are two of the N3TW0RM victims that have already been listed on the ransomware gang’s data leak, with the threat actors already leaking data allegedly stolen during the attack on Veritas.
It seems that the ransomware gang is not asking for large ransom demands in comparison to other enterprise-targeting attacks, news reports showing that the Veritas’ ransom demand was three bitcoin, which is around $173,000.
A WhatsApp message shared among Israeli cybersecurity researchers links the N3TW0RM ransomware with the Pay2Key attacks conducted in November 2020 and February 2021, but it’s important to note that N3TW0RM attacks have not been attributed to any hacking groups at this time.
With N3TW0RM we can observe an unusual client-server model of encryption, given the fact that usually when encrypting a network a standalone ransomware executable will be distributed to every device the attackers want to encrypt.
From samples of the ransomware observed by BleepingComputer and the researchers at Nachmias, it seems that the N3TW0RM threat actors have a different approach when trying to encrypt data, with them installing a program on a victim’s server meant to listen for connections from the connected workstations.
The threat actors use PAExec in order to deploy and execute the ‘slave.exe’ client on every device that will be encrypted, and after being encrypted the files will get the ‘.n3tw0rm‘ extension.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
This approach is allowing the threat actors to maintain all aspects of the ransomware operation within the victim’s network in this manner remaining safe, even if this approach is also adding a certain complexity to the attack and could possibly allow for a victim to recover their decryption keys if all of the files are not removed after an attack.