Updated: 15:00 GMT 09/05/21
A new ransomware attack group called N3tw0rm is claiming to have penetrated the network of several Israeli companies included Veritas, an international shipping and logistics company, Ecolog, an infrastructure engineering company, and Israel’s branch of clothing retailer H&M. In a departure from previous behavior, a source familiar with the matter stated that after encryption the threat actors did not send H&M a ransom demand since their aim is to embarrass H&M.
N3tw0rm ransomware origins
There is speculation that this N3tw0rm group is associated with Iran. If confirmed, the group will be operating hot on the heels of Pay2Key, a group that attacked numerous companies including Intel, Portnox and IAI back in December 2020. OP Innovate was at the forefront of Israel’s response to Pay2Key and verifies that this new attack exhibits similarities in the MO of the Pay2Key attack. It may be timed to coincide with Israel’s upcoming Jerusalem Day. OP Innovate has put together a list of IOCs (indicators of compromise) we have been able to identify from our investigations so far:
| Indicators | Tags | Comments |
| 8080 | Port | Port between internal secondary and internal primary |
| C:\Windows\Temp\n3tw0rm\Slave.exe | Path, File | |
| 8C6FD14084820EC528749300222097D21197659535AAA50CDCC75831F73546C1 | SHA256 | |
| 4AC7B7A9992CFD83912DC912105D615C | MD5 | |
| C:\Windows\Temp\n3tw0rm\FreeSpaceWorker.exe | Path, File | |
| B1B8DBA2291604B968482D65B6B53142B1BF50A8D5B7CD0D652E9C6BF6A3E1BB | SHA256 | |
| paexec-[#####]-[computername].exe | File | Tool in use (# are for random numbers) |
| 85.203.15.19 | IP Address | C&C – Express VPN |
| 85.203.15.35 | IP Address | C&C – Express VPN |
| s.exe | File | Server |
| pp64.exe | File | Pypykatz |
| 078667339385F3B77AEA2023C8FF9DB373841741 | SHA256 | Pypykatz hash |
Protect yourselves from ransomware gangs
For more information on how OP Innovate‘s cybersecurity expertise can help protect your company’s vital assets from falling into the wrong hands, contact Shay Pinsker at [email protected].
Written by Oran Cohen, Chief Security Officer at OP innovate