N3TW0RM Ransomware Targeting Israeli Organizations

What has happened?

• The ransom demanded by N3TW0RM was lower in comparison to other gangs. The Veritas' ransom demand was three bitcoins ($173,000), while another ransom note demanded 4 bitcoins ($231,000).
• While encrypting a network, the attackers are distributing standalone ransomware executable to every device they wanted to encrypt. N3TW0RM uses a client-server model for encryption.
• The attackers install a program on the victim's server that will listen for connections from workstations. Subsequently, PAExec is used to deploy slave[.]exe client executable on every device.
• When a slave[.]exe client is executed, it connects back to port 80 and sends an RSA key to the server. The server component stores these keys in a file and directs the clients to start encrypting devices. Moreover, encrypted files are renamed with .n3tw0rm extension.

A connection with Pay2Key ransomware

• A WhatsApp message shared with researchers revealed that the N3TW0RM ransomware shares some features with the Pay2Key attacks that happened in November 2020 and February 2021.
• Pay2Key has been linked to Fox Kitten, an Iran-based threat group, whose aim was to cause disruption or damage to Israeli interests.

Recent attacks on Israel

• Recently, the APT-C-23 threat group was seen using voice-changing software to fool targets into installing malware. It is a subgroup of Molerats who generally target the Israeli government.
• Last month, the Iran-linked TA453 threat group launched a phishing campaign targeting Israeli and U.S. medical research personnel. The espionage campaign was dubbed as BadBlood.

Conclusion