05 July 2021  —  Acronis

Threat analysis: N3tw0rm ransomware

Acronis Cyber Protect Cloud
for service providers

Summary

  • Uses targeted attack approach to hack into corporate networks of Israeli companies.
  • Employs a client-server model for encrypting computers in the target networks
  • N3tw0rm is supposedly connected with the Iranian operators of the ransomware Pay2Key
  • The threat actors behind the N3tw0rm have already released 110 GB of data from H&M Israel and 9 GB of data from the shipping company Veritas on their data leak site

Attack vectors and recent targets

On May 2, 2021, сybercriminal group N3tw0rm attacked the computer networks of international clothing retailer H&M in Israel and threatened to release customer data. This was reported by the Israeli magazine Haaretz, which previously reported attacks on at least four Israeli companies and one non-profit organization.

Typically, the attackers use a spear-phishing to deliver an email with a malicious attachment or credentials for RDP access that can be bought on the dark web.

N3tw0rm set up a data leak site where they threaten to release stolen files if the victim doesn't pay the ransom.

The hackers have threatened to release 110 GB of data from H&M Israel, and 9 GB of data from the shipping company Veritas, including customer, account, employee and possibly billing information.

According to BleepingComputer, cybercriminals have already published the exfiltrated data that was stolen during the attack on Veritas, suggesting that the ransom demand was not met.

Haaretz reports that the attackers demanded a ransom of 3 bitcoin (approximately $120,000 at the time of writing) for deleting Veritas data, and a source from BleepingComputer mentions 4 bitcoin (approximately $160,000).

Israeli cybersecurity sources speculate that ransom is not the primary goal of cybercriminals. Instead, they want to undermine and damage Israel's status as a prominent cyber force. The criminals are thus thought to be politically motivated. Experts explain such conclusions by the fact that N3tw0rm is supposedly connected with the Iranian operators of the ransomware Pay2Key, which last year announced the hacking of Israel Aerospace Industries and the Israeli information security company Portnox. But at the moment, N3tw0rm attacks have not been associated with other hacker groups.

The hackers recently published information about one more victim from Israel — Ecolog Engineering Ltd., a private consulting and design firm specializing in environmental impact assessments.

[AI1] 

Self-defense

N3tw0rm employs a collection of anti-debugging techniques, including string encryption with XOR, checking for the presence of a debugger with Windows API, checking debugging flags, triggering unhandled exceptions, and using a performance counter.

If debugging is detected, N3tw0rm shuts down the system.

&nbs

Hackers use PAExec to deploy and run the ‘slave.exe’ client on all encrypted devices. Encrypted files will have a .n3tw0rm extension.

Wiping free disk space

To prevent restoration of deleted files after encryption, the ransomware uses an unusual technique. It launches a so-called “Free space worker” which creates many temporary files on network drives and fills them with zeros.

After all available space has been filled with temp files, the “Free space worker” deletes them. As a result, all free space on network drives is wiped with zeros.

Ransom note

The ransom note contains contact and payment information, and appears as follows:

Detection by Acronis

Acronis’ Active Protection technology uses advanced machine intelligence and behavioral analysis to successfully identify and stop N3tw0rm attacks — as well as any other known or unknown cyberthreat. Backups are protected against tampering, and enable the automatic and rapid restoration of any encrypted files.

Some cybersecurity researchers believe that N3tw0rm is a product of Iranian hacker groups, and designed to attack vulnerable systems. This ransomware has so far been used exclusively against Israeli companies and users.

IoCs

SHA256: 8c6fd14084820ec528749300222097d21197659535aaa50cdcc75831f73546c1

 [AI1]Can be removed

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.