Israel's top technology school, Technion Israel Institute of Technology (IIT), is the victim of a ransomware attack by the DarkBit hacker group, which has demanded an 80-Bitcoin payout (around $1.7 million at press time) in a ransom note laden with anti-Israel sentiments.
The university reported the attack on Feb. 12, a day after the threat actor compiled the payload, according to a report from BlackBerry.
"That might suggest DarkBit maintained the initial access to the victim's network sometime before that, while the implant was compiled a few hours before the attack materialized," says Dmitry Bestuzhev, a threat researcher at BlackBerry.
BlackBit also warned IIT that if the organization did not pay the ransom within 48 hours, the amount would jump 30%.
The extent of the damage, the origin of the breach, and the initial infection vector have not been publicly released.
The Golang-based ransomware possesses several notable features, such as the ability to accept command-line arguments and function independently. Its default mode involves encrypting the victim's device by utilizing AES-256, impacting numerous file types. Additionally, it employs the method of multithreading to ensure quicker and more effective encryption.
Bestuzhev tells Dark Reading that based on the ransom note, and threat actor's Twitter account and Telegram profile, the main motivator for the attack is geopolitical rather than financial.
An additional motivator — revenge — was indicated through a DarkBit tweet and the text of the ransom note, which alludes to the possibility that a vengeful former tech employee may be leveraging insider knowledge of tooling and software to carry out the attacks.
"A kindly advice to the hight-tech [sic] companies: From now on, be more careful when you decide to fire your employees, specially [sic] the geek ones. #DarkBit," the tweet stated.
While the statement could be a red herring, it's worth noting that insider threats — for example an angry employee who has been fired, or a disgruntled worker trying to cause some damage to the enterprise — are a growing concern for security professionals.
The commentary on Telegram, Twitter, and the DarkBit website also displays hacktivist motivations against Israel.
Bestuzhev says that targeting a university creates noise, and since geopolitics is the agenda, the goal is to spread the message.
"With many students and associates who can't study and work, it serves as a message amplifier," he says. "From the attacker's perspective, it's a great target to reach as many people as possible."
Multiple Motivations: Political, Financial, Personal
Melissa Bischoping, director of endpoint security research at Tanium, agrees this attack touches on multiple motivations — political hacktivism, revenge, and financial gain.
"Whoever is behind DarkBit has included comments in their ransom notes about their stances on political regimes as well as comments regarding layoffs and terminations of technical employees," she says. "It remains to be seen if this is an entirely new group or an offshoot of a previous gang."
She points out that ransomware is increasingly used as a weapon in geopolitics, because it can be easily purchased and deployed, and it can deliver high-impact destruction quickly.
"Ransomware operators are not concerned with remaining undetected," Bischoping says. "In fact, it's quite the opposite — they want to send a message, cause damage, and get paid."
She explains that universities can be popular targets because they often have understaffed IT departments and many endpoints to manage and secure, leaving multiple openings for a compromise.
"It wasn't a random attack, as DarkBit's social media as well as their ransom note indicate clear political stances and motives against the Israeli government and its associated organizations," she adds.
Murky Intentions May Mask Something Worse
Darren Guccione, CEO and co-founder at Keeper Security, says it's inadvisable to assume a threat actor’s only motivations behind a ransomware attack, or any other type of malware offensive, are the ones that seem obvious or are spelled out by the threat actors themselves.
"While ransomware is typically used to get paid, it could also be nothing more than a smoke screen or bonus payday as the threat actors work to compromise a target’s system or IT infrastructure in other ways," he says.
"No matter the threat actor’s apparent or true motivations behind this attack, a full investigation must be done to evaluate the scope of the cyberattack and remediate the damage," Guccione says.
As with all ransomware attacks, he advises against paying the ransom to deter future attacks of a similar nature.
"Organizations should also consider implementing a zero-trust, zero-knowledge architecture to mitigate the damage of any future cyberattack," Guccione says.