Cyber Incident Victim: Ness Digital Engineering
Date:
Feb 2021
Location:
Israel
Summary
Ness Digital Engineering experienced a ransomware attack affecting its operations in Israel, the US, and India. The Ragnar Locker group breached the company’s network, encrypted files and data, and demanded ransom negotiations via a live chat link provided in an on-screen message, with initial reports indicating the incident may have originated in Israel before spreading globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 13, 2021, Ness Digital Engineering, an IT services company operating in Israel, the United States, and India, suffered a ransomware attack. The incident was first reported by cybersecurity consultant Einat Meyron, though specific technical details regarding initial attack vectors or intrusion methods remained undisclosed. Initial reports indicated the attack may have originated within the company's Israeli operations before propagating to other international branches. Attackers deployed ransomware identified as Ragnar Locker, which encrypted files and systems across affected networks. A ransom note displayed on compromised systems addressed the company directly, stating: "Hello ness-digital-engineering! If you (sic) reading this message, it means your network was PENETRATED and all of your files and data has (sic) been ENCRYPTED by RAGNAR LOCKER!" The message instructed Ness to initiate negotiations via a provided live chat interface to "make a deal" for resolution, consistent with standard ransomware extortion tactics. Public reporting did not specify whether data exfiltration occurred prior to encryption or the precise scope of encrypted systems.
The attack's operational impact on Ness Digital Engineering's services, clients, or internal operations was not detailed in available reports. Similarly, no official statements from Ness regarding incident response actions—such as containment measures, system restoration processes, or engagement with law enforcement—were disclosed at the time of reporting. The geographical spread across three countries suggested potential coordination challenges in incident response across regional branches, though no specific remediation timelines or business continuity measures were documented. Cybersecurity news outlets circulated a screenshot of the ransom note as primary evidence of the attack's occurrence and the perpetrators' identity. No follow-up information regarding ransom payment decisions, decryption success rates, or long-term consequences for Ness's operations was verifiable from immediate public sources following the initial disclosure.