Israel’s
top
technology
school,
Technion
Israel
Institute
of
Technology
(IIT),
is
the
victim
of
a
ransomware
attack
by
the
DarkBit
hacker
group,
which
has
demanded
an
80-Bitcoin
payout
(around
$1.7
million
at
press
time)
in
a
ransom
note
laden
with
anti-Israel
sentiments.
The
university
reported
the
attack
on
Feb.
12,
a
day
after
the
threat
actor
compiled
the
payload,
according
to
a
report
from
BlackBerry.
“That
might
suggest
DarkBit
maintained
the
initial
access
to
the
victim’s
network
sometime
before
that,
while
the
implant
was
compiled
a
few
hours
before
the
attack
materialized,”
says
Dmitry
Bestuzhev,
a
threat
researcher
at
BlackBerry.
BlackBit
also
warned
IIT
that
if
the
organization
did
not
pay
the
ransom
within
48
hours,
the
amount
would
jump
30%.
The
extent
of
the
damage,
the
origin
of
the
breach,
and
the
initial
infection
vector
have
not
been
publicly
released.
The
Golang-based
ransomware
possesses
several
notable
features,
such
as
the
ability
to
accept
command-line
arguments
and
function
independently.
Its
default
mode
involves
encrypting
the
victim’s
device
by
utilizing
AES-256,
impacting
numerous
file
types.
Additionally,
it
employs
the
method
of
multithreading
to
ensure
quicker
and
more
effective
encryption.
Bestuzhev
tells
Dark
Reading
that
based
on
the
ransom
note,
and
threat
actor’s
Twitter
account
and
Telegram
profile,
the
main
motivator
for
the
attack
is
geopolitical
rather
than
financial.
An
additional
motivator
—
revenge
—
was
indicated
through
a
DarkBit
tweet
and
the
text
of
the
ransom
note,
which
alludes
to
the
possibility
that
a
vengeful
former
tech
employee
may
be
leveraging
insider
knowledge
of
tooling
and
software
to
carry
out
the
attacks.
“A
kindly
advice
to
the
hight-tech
[sic]
companies:
From
now
on,
be
more
careful
when
you
decide
to
fire
your
employees,
specially
[sic]
the
geek
ones.
#DarkBit,”
the
tweet
stated.
While
the
statement
could
be
a
red
herring,
it’s
worth
noting
that
insider
threats
—
for
example
an
angry
employee
who
has
been
fired,
or
a
disgruntled
worker
trying
to
cause
some
damage
to
the
enterprise
—
are
a
growing
concern
for
security
professionals.
The
commentary
on
Telegram,
Twitter,
and
the
DarkBit
website
also
displays
hacktivist
motivations
against
Israel.
Bestuzhev
says
that
targeting
a
university
creates
noise,
and
since
geopolitics
is
the
agenda,
the
goal
is
to
spread
the
message.
“With
many
students
and
associates
who
can’t
study
and
work,
it
serves
as
a
message
amplifier,”
he
says.
“From
the
attacker’s
perspective,
it’s
a
great
target
to
reach
as
many
people
as
possible.”
Multiple
Motivations:
Political,
Financial,
Personal
Melissa
Bischoping,
director
of
endpoint
security
research
at
Tanium,
agrees
this
attack
touches
on
multiple
motivations
—
political
hacktivism,
revenge,
and
financial
gain.
“Whoever
is
behind
DarkBit
has
included
comments
in
their
ransom
notes
about
their
stances
on
political
regimes
as
well
as
comments
regarding
layoffs
and
terminations
of
technical
employees,”
she
says.
“It
remains
to
be
seen
if
this
is
an
entirely
new
group
or
an
offshoot
of
a
previous
gang.”
She
points
out
that
ransomware
is
increasingly
used
as
a
weapon
in
geopolitics,
because
it
can
be
easily
purchased
and
deployed,
and
it
can
deliver
high-impact
destruction
quickly.
“Ransomware
operators
are
not
concerned
with
remaining
undetected,”
Bischoping
says.
“In
fact,
it’s
quite
the
opposite
—
they
want
to
send
a
message,
cause
damage,
and
get
paid.”
She
explains
that
universities
can
be
popular
targets
because
they
often
have
understaffed
IT
departments
and
many
endpoints
to
manage
and
secure,
leaving
multiple
openings
for
a
compromise.
“It
wasn’t
a
random
attack,
as
DarkBit’s
social
media
as
well
as
their
ransom
note
indicate
clear
political
stances
and
motives
against
the
Israeli
government
and
its
associated
organizations,”
she
adds.
Murky
Intentions
May
Mask
Something
Worse
Darren
Guccione,
CEO
and
co-founder
at
Keeper
Security,
says
it’s
inadvisable
to
assume
a
threat
actor’s
only
motivations
behind
a
ransomware
attack,
or
any
other
type
of
malware
offensive,
are
the
ones
that
seem
obvious
or
are
spelled
out
by
the
threat
actors
themselves.
“While
ransomware
is
typically
used
to
get
paid,
it
could
also
be
nothing
more
than
a
smoke
screen
or
bonus
payday
as
the
threat
actors
work
to
compromise
a
target’s
system
or
IT
infrastructure
in
other
ways,”
he
says.
“No
matter
the
threat
actor’s
apparent
or
true
motivations
behind
this
attack,
a
full
investigation
must
be
done
to
evaluate
the
scope
of
the
cyberattack
and
remediate
the
damage,”
Guccione
says.
As
with
all
ransomware
attacks,
he
advises
against
paying
the
ransom
to
deter
future
attacks
of
a
similar
nature.
“Organizations
should
also
consider
implementing
a
zero-trust,
zero-knowledge
architecture
to
mitigate
the
damage
of
any
future
cyberattack,”
Guccione
says.
About Author
