Threat Signal Report

N3TW0RM Ransomware Targeting Israeli Organizations

Description

FortiGuard Labs is aware of recent reports of the N3TW0RM ransomware surfacing in attacks targeting organizations in Israel. N3TW0RM is one of several ransomware campaigns to follow the data leak extortion model, where they threaten to publish confidential stolen data and documents on the darkweb if victims fail to pay the ransom. N3TW0RM prefers payment in Bitcoin and, according to various reports, appears to not be interested in negotiation.

What are the Technical Details?

It appears that the preferred method of operation for the N3TW0RM ransomware is to install a server side client that will listen for active connections on victim machines. Once an active session is made, the bad actors will use a tool called PAExec (not to be confused with PSExec) which is a free redistributable command-line tool that can be bundled with other software. This allows for the threat actor to instruct the victim computer to download additional files (specifically the N3TW0RM ransomware) and execute the downloaded file. Files encrypted will have the .n3twork extension appended to the predetermined files. According to various reports, N3TW0RM shares similarities with the Pay2Key ransomware.

The ransomware note contains the N3TW0RM banner that harkens back to days of old Bulletin Board Sites (BBS) with large format ASCII letters. Contained within is the usual informational text file that contains a FAQ-like format. It provides details on what is ransomware, what happened, how to recover files, how to pay, unique identifiers and the contact information (such as Bitcoin wallet and email address). Also, a sinister notice section highlights that the payment will be increased two fold by a specific date if the demands are not met.

What Operating Systems are Affected?

Windows based operating systems.

How Serious of an Issue is This?

MEDIUM/HIGH. This is rated MEDIUM/HIGH as we have not seen other instances of this ransomware elsewhere. It appears the spread is restricted to a specific region for the time being. This rating will be revised if we observe further occurrences of N3TW0RM in the wild.

How Widespread is this Attack?

Low. Currently at this time, it appears to be confined to the Middle East, specifically Israel.

Is there Any Identified Nation State Activity or Attribution?

Researchers have noted that there are similarities to Pay2Key ransomware attacks of last year. Pay2Key has ties into the Iranian threat actor FoxKitten. However, there has been no confirmed attribution to the threat actors behind N3TW0RM.

Should Victims Pay the Ransom?

FortiGuard Labs cannot provide any guidance here. It is up to each organization to determine their risk. Factors in that decision include determining the potential for loss due to downtime and reputation, along with whether or not an organization has cybersecurity insurance coverage to help mitigate such potential losses.

What is the status of Protections?

FortiGuard Labs has the following (AV) signatures in place for publicly available N3TW0RM samples as:

W32/Agent!tr

For FortiEDR protections, all published IOC's were added to our Cloud intelligence and will be blocked if executed on customer systems.

Any Other Suggested Mitigation?

Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.