In a wave of cyberattacks that started last week, a new ransomware gang tracked as ‘N3TW0RM’ is targeting predominantly Israeli companies.
According to Israeli media company Haaretz, at least four Israeli companies and one non-profit organization have been breached by the attackers.
N3TW0RM has created a data leak website where they would leak stolen files if their victims don’t pay a ransom within a certain time period.
The ransomware gang has already listed H&M Israel and Veritas Logistic’s networks as victims of the data leak. The threat actor already leaked a portion of the Veritas’ data allegedly stolen during the attack.
The ransomware gang did not ask for a large ransom compared to other enterprise-targeting attacks. Haaretz reports that hackers demanded three bitcoin from Veritas (approximately $173,000).
Israeli cybesrecurity researchers say that the N3TW0RM ransomware attack is similar to the Pay2Key attacks that took place in November 2020 and February 2021.
Pay2Key has been linked to Fox Kitten, an Iranian nation-state hacking group. The N3TW0RM attacks have not been attributed to any known hacking group yet.
Due to the low ransoms and lack of response to negotiations, Israeli cybersecurity experts believe the purpose of N3TW0RM is to spread chaos in Israel. However, Arik Nachmias, CEO of Honey Badger Security, believes the N3TW0RM attacks are motivated by money.
To encrypt files on the compromised network, threat actors usually distribute a standalone ransomware tool. N3TW0RM uses a different approach that allows the threat actor to keep the whole ransomware operation within the victim’s network and prevent being traced back to a remote command & control server. Though more secretive, this method also adds complexity and could allow a victim to recover their decryption keys, BeepingComputer’s Lawrence Abrams says.