Cyber Incident Victim: Hennes & Mauritz Israel
Date:
May 2021
Location:
Israel
Summary
A ransomware gang known as N3TW0RM targeted multiple Israeli organizations, including H&M Israel and a logistics firm, encrypting files with the '.n3tw0rm' extension and threatening data leaks to coerce ransom payments. The attackers employed a client-server model, deploying malware internally via PAExec to avoid external command servers, while demanding relatively modest ransoms compared to typical enterprise attacks. Though similarities were noted with earlier Iranian-linked Pay2Key operations, the group's affiliation remained unconfirmed, with conflicting assessments about their motives—either financial gain or disruption of Israeli interests. Stolen data from at least one victim was leaked, compounding operational impacts beyond encryption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early May 2021, a newly identified ransomware operation named N3TW0RM targeted multiple Israeli organizations, including H&M Israel and Veritas Logistics, as part of a broader attack wave. The group first emerged the prior week, compromising at least four businesses and one nonprofit, according to Israeli media reports. N3TW0RM operators employed standard ransomware extortion tactics by creating a dedicated data leak site to pressure victims, publicly listing H&M Israel and Veritas Logistics as breached entities. Veritas Logistics’ stolen data had already been leaked at the time of reporting, demonstrating the group’s willingness to follow through on threats. The attackers deployed ransom notes demanding payments between 3 Bitcoin (~$173,000) and 4 Bitcoin (~$231,000), amounts considered relatively low compared to typical enterprise ransomware demands. Security researchers noted technical similarities between N3TW0RM’s code and the Pay2Key ransomware used in November 2020 and February 2021 attacks, which had been attributed to Iranian state-linked actors.
The ransomware utilized an unconventional client-server architecture rather than distributing standalone executables. Attackers installed a central program on compromised servers that listened for connections from workstations, then used PAExec utility to remotely execute the ‘slave.exe’ client component across devices. Encrypted files were appended with the ‘.n3tw0rm’ extension. This design kept all encryption activities confined within victim networks, eliminating the need for external command-and-control servers but introducing operational complexity. Security experts diverged on the attackers’ primary motivation: Some cited the low ransom demands and lack of negotiation engagement as indicators of intent to disrupt Israeli interests, while others maintained financial gain remained the core objective. The incident highlighted ongoing cybersecurity challenges for Israeli entities, with attribution remaining unconfirmed despite technical parallels to earlier Iran-associated campaigns.