Ransomware hits Technion university to protest tech layoffs and Israel - BleepingComputer
2023-02-13 05:45 (EST)
A new ransomware group going by the name DarkBit has hit Technion - Israel Institute of Technology, one of Israels leading research universities.
The ransom note posted by DarkBit is littered with messaging protesting tech layoffs and promoting anti-Israel rhetoric, as well as the group demanding a $1.7 million payment.
Technion Institute is battling cyber attack
Technion Institute of Technology, one of the Israels leading public research universities, has been hit by a cyber attack this week.
The Haifa-based academic institution is currently carrying out incident response activities to determine the scope and cause of the incident.
"The Technion is under a cyber attack. The scope and nature of the attack are under investigation," the university said in a statement released in Hebrew.
"To carry out the process of collecting the information and handling it, we use the best experts in the field, both within The Technion and outside, and coordinate with the relevant authorities. The Technion has proactively blocked all communication networks at this stage."
A ransom note from the new DarkBit ransomware group was left on the universitys systems, where the attackers demanded 80 Bitcoin or roughly US$ 1,745,200 to release the decryptor to the university.
Ransom note posted by DarkBit (vx-underground & CyberIL)
The date seen on the PC in the image above indicates the attack occurred on or before February 12th, 2023.
BleepingComputer also observed, at this stage, the Institutes websites are inaccessible—likely after the university blocked all network access amid the attack.
Technion Israels website down as it investigates cyber attack (BleepingComputer)
While Technions cyber systems may be impacted, the universitys campus operations continue as normal.
"The work day tomorrow on campus will proceed as usual, with the exception of the postponed exams," says the Institute.
"The instructions published in the morning regarding participation in public activities due to a day off remain unchanged. We will continue to update when we have more information."
Who is DarkBit anyway?
A threat actor, disgruntled employee, pro-Palestinian activist, or all of these?
The unheard of DarkBit gang has sprung up this week and its whereabouts are yet to be known. The attackers, however, drop a few hints about their objectives in both the ransom note, and their Twitter and Telegram channels.
DarkBits Tor (.onion) website (BleepingComputer)
DarkBits stance against "racism, fascism and apartheid" may cause their activities to be considered hacktivism at a first glance but the groups motives seem multi-faceted.
From the use of #HackForGood hashtag in its Twitter bio to anti-Israel messages seen in the ransom note, as well as the group calling out tech layoffs, its hard to categorize DarkBit just yet.
DarkBits Twitter account with #HackForGood tag and tweets criticising layoffs
While attacking Israel for being an "aparheid regime," DarkBit attackers want to make them pay for "war crimes against humanity" and "firing high-skilled experts."
"A kindly advice to the hight-tech companies: From now on, be more careful when you decide to fire your employees, specially the geek ones [sic]," DarkBit said in a subsequent tweet.
Depending on how one interprets the wording, the attack seems to be DarkBits way of taking revenge for layoffs that may have involved its members.
The threat actors seem to imply that laying off highly technical employees without doing due diligence could pose a threat to an organizations security posture. Some laid off (and disgruntled) employees may have insider knowledge enabling them to acquire easier access to an organizations computer networks even after termination.
"DarkBit has gone from hacktivist, to ransomware group now to a disgruntled former employee all in one day," comments cybersecurity analyst Dominic Alvieri.
The group has threatened to impose a 30% penalty on top of an already-significant ransom demand should the university not agree to pay up. Additionally, the attackers warn theyd be putting up any stolen data for sale after five days.
BleepingComputer continues to monitor the situation and we will post updates as the development progresses.
