[BreachExchange] Shirbit hackers demand almost $1 million in ransom money to stop leaks

Fri Dec 4 10:48:54 EST 2020

https://www.jpost.com/israel-news/shirbit-hackers-demand-almost-1-million-in-ransom-money-to-stop-leaks-650995

The Black Shadow hacker group, which targeted the Shirbit insurance
company in a cyberattack on Tuesday, demanded that the company send 50
bitcoin ($961,110) to their bitcoin wallet within 24 hours, in a
message published on their Telegram channel on Wednesday night.

The group stated that if the money is sent, they will not disclose any
data and will not sell it to anyone. The hackers have already
published large collections of files containing the private
information of customers and employees.

Black Shadow warned that if the money is not sent within 24 hours of 9
a.m. on Thursday morning, the ransom demand will rise to 100 bitcoin
($1,922,220). If another 24 hours pass, the demand will rise to 200
bitcoin ($3,847,680). "After that we will sell the data to the
others," warned the hackers, adding that they will leak some more data
at the end of every 24 hours.

Shortly after the message was published, the group published more
files, including faxes and ID cards.

Sources involved in the investigation told Channel 12 that an Israeli
or someone in Israel may be involved in the cyberattack and that the
attack seems to be from a private group and not a state.

Shirbit hired a negotiations expert to conduct negotiations with the
hackers after the ransom demand was made overnight.

The company told Channel 12 that it was "puzzling" that the demand was
made when the details of the attack were still unclear.

"Shirbit is working with teams of state and private cyber experts to
return to full activity in the near future," said the company in a
statement. "The company has a full backup that is not damaged, and the
initial investigation shows that the information stolen will not cause
damage to the company's customers. The company has acted to protect
information resources in accordance with the directives of the
authorities, and is also now fully coordinated with them."

The National Cyber Directorate and Capital Market Authority said on
Tuesday that it was working with Shirbit to investigate the suspected
attack and that an initial probe found that insurance details were
also leaked.

Although the directorate only announced the attack on Tuesday morning,
Black Shadow posted the first leaked documents on a Telegram channel
at around 9 p.m. on Monday evening.

Shirbit reportedly has many government employees among its clients,
including the president of the Tel Aviv District Court, Gilad Noitel.

In a Telegram message to KAN, the group stated that they had other
targets that they would disclose later and that they conducted the
attack "for money," without further clarification.

“The Shirbit insurance company places the safety and service of its
customers at the top of its priorities and is ranked year after year
among the top insurance companies in Israel in its fields of
activity,” company CEO Zvi Leibushor said in response to the incident.
“Shirbit has invested millions of shekels in securing databases and
protecting against cyberattacks, and meets all the stringent
regulatory requirements in this area.”
Leibushor added that Shirbit is investing all resources and efforts
needed for an “effective, safe and rapid solution to the cyberattack,
whose real goal is to try to harm the Israeli economy.”

The attack comes amid a spike in ransomware attacks against insurance
companies, with dozens of insurance companies in the US reporting such
attacks in just the past week, according to the ransomware removal and
cyber security service MonsterCloud.
The attackers in the US have made ransom demands between 100,000 to
millions of dollars.

"Based on the recent attacks here in the US, the attacks are
money-driven," MonsterCloud CEO Zohar Pinhasi told The Jerusalem Post.
"And even if the victim has a backup, the attacker will blackmail the
victim for the ransom to prevent data leak, which is huge when it
comes to insurance companies.

"This is a new trend in the US. This type of attack is caused due to a
lack of cyber security knowledge," he said, warning that "it seems the
company has a long and turbulent road ahead."

Pinhasi added that it is unclear whether the same group is behind the
attacks in the US, explaining that hacker groups tend to change their
names often in order to protect themselves.