A new ransomware group ‘N3TW0RM’ is targeting Israeli companies. N3TW0RM, like other ransomware gangs, has set up a data leak platform where they threaten to release stolen files to threaten victims into paying a ransom.
Two Israeli companies, H&M Israel and Veritas Logistic have already been mentioned on the ransomware gang’s data leak, with the threat actors allegedly leaking data stolen during the Veritas attack. Ransom demand is minimal when compared to others
N3TW0RM ransomware shares several characteristics with the Pay2Key attacks . Pay2Key has been linked to the Fox Kitten hacking group, an Iranian nation-state hacking group whose mission was to disrupt and damage Israeli interests rather than collect a ransom payment.
While encrypting a network, threat actors typically distribute a standalone ransomware executable to each system they want to encrypt but N3TW0RM uses a client-server model. The N3TW0RM threat actors install a programme on a victim’s server that will listen for connections from the workstations.
The threat actors then use PAExec to deploy and execute the’slave.exe’ client executable on every device that the ransomware will encrypt, according to Nachmias. When encrypting files, the ‘.n3tw0rm’ extension will be appended to their titles.
The server portion would save the keys in a file and then instruct the clients to start encrypting devices. This strategy helps the threat actor to keep all aspects of the ransomware activity inside the victim’s network without having to rely on a remote command and control server.