Open Nav
Sign Up

N3TW0RM Ransomware IOCS

Oran Cohen

May 5, 2021

Updated: 15:00 GMT 09/05/21

A new ransomware attack group called N3tw0rm is claiming to have penetrated the network of several Israeli companies included Veritas, an international shipping and logistics company, Ecolog, an infrastructure engineering company, and Israel’s branch of clothing retailer H&M. In a departure from previous behavior, a source familiar with the matter stated that after encryption the threat actors did not send H&M a ransom demand since their aim is to embarrass H&M.

N3tw0rm ransomware origins

There is speculation that this N3tw0rm group is associated with Iran. If confirmed, the group will be operating hot on the heels of Pay2Key, a group that attacked numerous companies including Intel, Portnox and IAI back in December 2020. OP Innovate was at the forefront of Israel’s response to Pay2Key and verifies that this new attack exhibits similarities in the MO of the Pay2Key attack. It may be timed to coincide with Israel’s upcoming Jerusalem Day. OP Innovate has put together a list of IOCs (indicators of compromise) we have been able to identify from our investigations so far:

IndicatorsTagsComments
8080PortPort between internal secondary and internal primary
C:\Windows\Temp\n3tw0rm\Slave.exe Path, File 
8C6FD14084820EC528749300222097D21197659535AAA50CDCC75831F73546C1 SHA256 
4AC7B7A9992CFD83912DC912105D615CMD5 
C:\Windows\Temp\n3tw0rm\FreeSpaceWorker.exePath, File 
B1B8DBA2291604B968482D65B6B53142B1BF50A8D5B7CD0D652E9C6BF6A3E1BBSHA256 
paexec-[#####]-[computername].exeFileTool in use (# are for random numbers)
85.203.15.19IP AddressC&C – Express VPN
85.203.15.35IP AddressC&C – Express VPN
s.exeFileServer
pp64.exeFilePypykatz
078667339385F3B77AEA2023C8FF9DB373841741SHA256Pypykatz hash

Protect yourselves from ransomware gangs

For more information on how OP Innovate‘s cybersecurity expertise can help protect your company’s vital assets from falling into the wrong hands, contact Shay Pinsker at shay@op-c.net.

Written by Oran Cohen, Chief Security Officer at OP innovate

Resources highlights

Microsoft Defender Vulnerabilities Added to CISA KEV (CVE-2026-41091, CVE-2026-45498)

CISA has added two Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. The vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498,…

Read more >

cve-2026-41091, cve-2026-45498

CVE-2026-42945: Actively Exploited NGINX Rewrite Module Vulnerability Enables Worker Crashes and Possible RCE

CVE-2026-42945 is a heap-based buffer overflow vulnerability affecting NGINX Plus and NGINX Open Source. The flaw exists in the ngx_http_rewrite_module and can be triggered through…

Read more >

CVE-2026-42945

CVE Overload is Here: Why Regular Penetration Testing Matters More Than Ever

On 15 April 2026, NIST made a change that every security leader should pay attention to. The National Vulnerability Database is no longer trying to…

Read more >

CVE overload

CVE-2026-20182: Actively Exploited Cisco Catalyst SD-WAN Vulnerability Enables Admin Access

Cisco has disclosed a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller, formerly vSmart, and Cisco Catalyst SD-WAN Manager, formerly vManage. The vulnerability, tracked…

Read more >

cve-2026-20182-cisco-catalyst-sd-wan-admin-access

CVE-2026-44277 & CVE-2026-26083: Critical Fortinet Vulnerabilities Enable Unauthenticated Code Execution

Fortinet has released security updates for two critical vulnerabilities affecting FortiAuthenticator and FortiSandbox. Both vulnerabilities are rated Critical, carry a CVSS score of 9.1, and…

Read more >

cve-2026-44277, cve-2026-26083

CVE-2026-6973: Actively Exploited Ivanti EPMM Vulnerability Enables RCE

Ivanti has released security updates for Ivanti Endpoint Manager Mobile (EPMM) after confirming limited in-the-wild exploitation of CVE-2026-6973, a high-severity remote code execution vulnerability affecting…

Read more >

CVE-2026-6973
Under Cyber Attack?

Fill out the form and we will contact you immediately.