Menu
Browse

Cyber Threat Actor: N3TW0RM

Actor Type Location Known Incidents
 Icon
Criminal
Iran
2 incidents
Profile

N3TW0RM is a ransomware threat actor known by the alias N3TW0RM and is reported to operate from Iran. The actor emerged in early 2021 with a series of attacks against Israeli entities, using ransomware that appends the .n3tw0rm extension to encrypted files. Observations from security researchers note that the group maintains a data leak site to pressure victims into paying ransoms.

The actor’s targeting has focused on Israeli organizations across sectors such as retail, logistics and nonprofit groups, with specific victims including H&M Israel and Veritas Logistic. Some analysts interviewed by media outlets have suggested that the modest ransom demands and limited negotiation engagement indicate an intent to sow chaos and disrupt Israeli interests, while other experts, including the CEO of an incident response firm, have argued that the primary motivation is financial gain. The ransom notes observed in the attacks demanded amounts ranging from three to four bitcoins, equivalent to roughly $173,000 to $231,000 at the time.

Technically, N3TW0RM employs a client‑server model rather than distributing a standalone ransomware executable to each host. A persistent server component is installed on a victim’s system to listen for connections, and the attackers use PAExec to deploy and execute a client payload named slave.exe on workstations that require encryption. This approach keeps all ransomware operations inside the victim’s network, avoiding external command‑and‑control infrastructure, although it may leave decryption keys recoverable if not fully removed. The malware encrypts files and appends the .n3tw0rm extension, and the group has been observed leaking stolen data on its leak site to increase pressure on victims.

Public attribution of N3TW0RM to any specific hacking group or state sponsor has not been established; researchers have noted superficial similarities to the Pay2Key ransomware campaign previously linked to the Iranian state‑aligned Fox Kitten group, but these parallels remain unconfirmed. Consequently, the actor’s affiliation remains unclear, with no definitive evidence tying it to a state nexus, a criminal consortium, or any other organization. The available information describes N3TW0RM as a ransomware operation that utilized novel internal propagation tactics against Israeli targets while its broader allegiance and ultimate objectives remain subjects of analyst debate.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source