A ransomware gang, known as N3TW0RM, has been targeting Israeli organizations. According to Israeli media, around four Israeli organizations and one nonprofit had been breached. In addition, the gang has a data leak site where they threaten to leak the stolen files if the ransom is not paid.

What has happened?

Names of H&M Israel and Veritas Logistics Ltd have been added to the gang's data leak site. Additionally, the attackers leaked the stolen data.
  • The ransom demanded by N3TW0RM was lower in comparison to other gangs. The Veritas' ransom demand was three bitcoins ($173,000), while another ransom note demanded 4 bitcoins ($231,000).
  • While encrypting a network, the attackers are distributing standalone ransomware executable to every device they wanted to encrypt. N3TW0RM uses a client-server model for encryption.
  • The attackers install a program on the victim's server that will listen for connections from workstations. Subsequently, PAExec is used to deploy slave[.]exe client executable on every device.
  • When a slave[.]exe client is executed, it connects back to port 80 and sends an RSA key to the server. The server component stores these keys in a file and directs the clients to start encrypting devices. Moreover, encrypted files are renamed with .n3tw0rm extension.

A connection with Pay2Key ransomware

  • A WhatsApp message shared with researchers revealed that the N3TW0RM ransomware shares some features with the Pay2Key attacks that happened in November 2020 and February 2021.
  • Pay2Key has been linked to Fox Kitten, an Iran-based threat group, whose aim was to cause disruption or damage to Israeli interests.

However, N3TW0RM is not attributed to any group at present.

Recent attacks on Israel

  • Recently, the APT-C-23 threat group was seen using voice-changing software to fool targets into installing malware. It is a subgroup of Molerats who generally target the Israeli government.
  • Last month, the Iran-linked TA453 threat group launched a phishing campaign targeting Israeli and U.S. medical research personnel. The espionage campaign was dubbed as BadBlood.


N3TW0RM ransomware gang is new to the threat landscape and has already successfully targeted multiple organizations. In addition, ransomware attacks are increasingly growing and have become a menace all around the world. Thus, organizations are recommended to defend themselves proactively instead of having a reactive approach.

Cyware Publisher