Cyber Incident Victim: Veritas Logistic
Date:
May 2021
Location:
Israel
Summary
A ransomware group known as N3TW0RM targeted multiple Israeli entities, including Veritas Logistic, encrypting files with a '.n3tw0rm' extension through a client-server model using PAExec to deploy 'slave.exe' across networks. The attackers leaked stolen data from the company and demanded ransoms averaging approximately $173,000 to $231,000 in Bitcoin, though negotiations reportedly saw limited engagement. While similarities were noted to earlier Pay2Key attacks linked to Iranian state-aligned actors, N3TW0RM's motives remained unconfirmed—with analysts divided between financial gain and intentional disruption of Israeli operations. The attack’s architecture allowed encryption without external command servers but introduced recovery opportunities if decryption keys persisted locally post-attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early May 2021, the newly identified N3TW0RM ransomware group targeted multiple Israeli organizations, including Veritas Logistic, as part of a broader attack wave first reported by Israeli media. The attacks began the prior week, with at least four companies and one nonprofit compromised. N3TW0RM employed standard ransomware tactics by establishing a data leak site to pressure victims, listing Veritas Logistic and H&M Israel as breached entities. Veritas suffered confirmed data exfiltration, with attackers leaking stolen files publicly. The group demanded ransoms in bitcoin, with Veritas facing a three bitcoin demand (~$173,000) – notably lower than typical enterprise ransomware demands. Technical analysis revealed N3TW0RM’s operational distinction: it used a client-server model rather than standalone ransomware executables. Attackers installed a server-side program that communicated with workstation clients ("slave.exe") deployed via PAExec, encrypting files with the ".n3tw0rm" extension. This architecture kept encryption activities confined to the victim network, eliminating reliance on external command-and-control servers but complicating cleanup.
The incident drew attention due to technical parallels with Pay2Key ransomware attacks from November 2020 and February 2021, which cybersecurity researchers had linked to Fox Kitten, an Iranian state-aligned group focused on disrupting Israeli operations. While N3TW0RM’s low ransom demands and unresponsiveness to negotiations led some analysts to suggest ideological motives aligned with prior nation-state activity, others like Honey Badger Security CEO Arik Nachmias attributed the attacks to financial objectives. No formal attribution was established during the initial reporting period. The client-server approach introduced potential recovery opportunities, as decryption keys might persist if attackers failed to erase all files post-encryption. Veritas Logistic’s operational disruptions and data exposure exemplified the immediate consequences, though specific containment measures or restoration efforts by the company were not detailed in available reports.