Recently, a new ransomware group known as ‘N3TW0RM’ is targeting Israeli organizations in a series of cyberattacks. Read on to know more about it…
N3TW0RM, a ransomware group, has been attacking Israeli organizations. Around four Israeli organizations and one nonprofit were hacked, according to Israeli media, Haaretz. Furthermore, the gang has a data leak site where they threaten to release the stolen files until the ransom is paid.
The gang’s data leak site now includes the names of H&M Israel and Veritas Logistics Ltd. The stolen data was also leaked by the attackers.
In contrast to other gangs, N3TW0RM demanded a lower ransom. The cybercriminals demanded three bitcoins ($173,000) from Veritas, while four bitcoins ($231,000) were demanded in another ransom note.
Working Mechanism
According to the observations of ransomware sample by Bleeping Computer, when it comes to encrypting data — according to Nachmias researchers, the N3TW0RM attackers take a different approach. The threat actors were spreading standalone ransomware executables to every devices they want to encrypt. For encryption, N3TW0RM employs a client-server model.
On the victim’s server, the threat actors installed a program that listens for connections from workstations. PAExec is then used to install the slave[.]exe client executable on each and every devices.
A slave[.]exe client connects to port 80 and sends an RSA key to the server when it is executed. The server component saves these keys to a file and instructs clients to begin encrypting the devices. Besides, encrypted files are renamed to .n3tw0rm suffix.
This method allows threat actors to keep all elements of the ransomware activity secure inside the victim’s network, even though it adds a layer of difficulty to the attack and can enable a victim to recover their decryption keys if all files are not deleted after an attack.
Similarities with Pay2Key Ransomware
According to a WhatsApp message shared with researchers, the N3TW0RM ransomware has some similarities to the Pay2Key ransomware attacks that occurred in November 2020 and February 2021. Pay2Key has been linked to Fox Kitten, a threat group based in Iran that aimed to disrupt or damage Israeli interests. Nevertheless, the N3TW0RM ransomware is currently not linked to any group.
Technical teams were able to discover some evidence close to FoxKitten and Iranian Pay2Key from last November and early February, respectively, after initial communications with the hacker revealing some warning signs. The hacker seems to be using the same libraries and parameter names.
Recent Attacks
The APT-C-23 threat group has recently been seen using voice-changing software tools to deceive targets into installing malware. It is a Molerat subgroup that mostly targets the Israeli government.
Last month, the Iran-linked TA453 threat group initiated a phishing campaign aimed at medical researchers in Israel and the United States. BadBlood was the codename for the espionage operation.
Concluding Words
The N3TW0RM ransomware group is relatively new to the threat landscape, but it has already attacked a number of organizations. Furthermore, ransomware attacks are increasing and have become a global threat. As a result, companies are advised to protect themselves proactively rather than reactively.