[BreachExchange] Shirbit hackers release more data as company refuses to pay ransom

Destry Winant destry at riskbasedsecurity.com
Tue Dec 8 10:19:54 EST 2020


https://www.jpost.com/breaking-news/shirbit-says-it-will-not-meet-black-shadow-hackers-demand-for-payment-651151

The Black Shadow group behind the cyberattack against the Shirbit
insurance company released more documents containing the personal
information of its employees and customers over the weekend, as the
company refused to pay the ransom demanded by the group.
On Saturday morning, the hackers released a large collection of
documents, including screenshots of WhatsApp conversations, ID cards,
marriage certificates and financial documents. Black Shadow also
posted a message reading "Shirbit... THE END!" on their Telegram
channel without explaining what the message meant.
Read More Related Articles


The newest leak came after material including pictures of employees,
ID cards and medical documents was released on Friday.

“Shirbit company did not pay the money till now,” wrote Black Shadow
on their Telegram channel on Friday. “It seems the customers,
employees and civil servants data leak is insignificant for them.”

On Friday morning, Shirbit announced that it does not intend to meet
the hacker group’s demand for payment, Israeli media reported. The
company said it will “not give in” to threats.

Black Shadow warned that they still have dozens of terabytes of data
to leak. The hackers also released screenshots of the conversation
between them and a representative of Shirbit conducting negotiations.

The hacker group told the representative on Thursday night that they
would need to pay 50 Bitcoin to stop the leaks and that Shirbit would
“have to trust” that the hackers would keep their word. The hackers
additionally warned that “many people,” including intelligence
services were interested in the data. The negotiations did not end
with a resolution and the hackers released more data on Friday.

Despite the thousands of documents leaked by Black Shadow over the
past few days, Shirbit continued to insist on Saturday that only a
“relatively small” number of documents were leaked and that the
decision not to pay the ransom was not from "financial considerations,
but rather for the good of the customers," according to Israeli media.

Shirbit additionally claimed that the attack is aimed at embarrassing
both the company and the entire Israeli economy, and is not an
extortion attempt.
On Wednesday night, Black Shadow demanded that Shirbit send 50 bitcoin
($961,110) to their bitcoin wallet within 24 hours or else they would
leak more information. The group warned that if the money was not
sent, the ransom demand would rise to 100 bitcoin. If another 24 hours
pass, the demand will rise to 200 bitcoin.

“After that we will sell the data to the others,” warned the hackers,
adding that they will leak some more data at the end of every 24
hours.

Although the National Cyber Directorate only announced the attack on
Tuesday morning, the hacker group posted the first leaked documents on
a Telegram channel on Monday evening. Since then, they have published
several large collections of files containing the private information
of customers and employees.
The company reportedly has many government employees among its
clients, including Gilad Noitel, president of the Tel Aviv District
Court.

Zohar Pinhasi, CEO of the ransomware removal and cyber security
service MonsterCloud, told The Jerusalem Post that the claims that
Black Shadow wants to strategically harm Israel and is not looking for
money are “nonsense.”

“This claim is repeated in every sector that is attacked and in every
country. The hack is almost always first and foremost a ransom attack
and on a financial basis. This is also the case in the Shirbit
attack,” said Pinhasi, who is also a former IT security intelligence
officer in the IDF.

“It’s important to clarify this: No government or security body will
be able to stop it,” claimed Pinhasi.

“The Pandora’s box has opened and now the company is trying to
downplay the severity of the hack and frame it as a matter of
‘national security’ to prevent damage to their reputation and come out
as alright with the regulator and customers,” he said.

“The company hopes that the public and customers will buy it, but they
are wrong.”
The cybersecurity expert added that the conversations leaked by Black
Shadow show that Shirbit’s representative “has zero experience in
negotiating with such attackers.”

“This is another big mistake by Shirbit,” said Pinhasi. “The first
rule when communicating with hackers in the field of cyber terrorism
is to minimize the interaction, as they cannot be trusted. The fact
that they brought the issue of “trust” to the negotiations also proves
that Shirbit’s representative has no experience in negotiating in such
cases.”

The CEO stressed that a cyber terrorism expert is needed in such
situations, not just a security expert. “Anyone who does not have
specific experience and training for such cases will do more harm than
good – and we are seeing the results now.”
Shirbit stated on Saturday that it had hired “the best experts in the
country in the fields of cyber and customer security,” according to
Israeli media.

Pinhasi warned that “if the materials fall into the wrong hands, it
will be possible to use them against the State of Israel. Now the
attackers are threatening that if [Shirbit] does not pay the ransom,
they will send the stolen materials to a kind of site designated for
leaks, which they did.”

Despite stating that he believes a state actor is not behind the hack,
the CEO added that he believes that the attackers are from Iran, but
that this cannot be confirmed as of yet.

An official involved in the investigation told Channel 12 on Friday
that it seems more likely that a state is behind the attack, not a
private group, despite reports that at least one of the attackers may
be from or in Israel.

The attack comes amid a spike in ransomware attacks against insurance
companies, with dozens of insurance companies in the US reporting
ransomware attacks in just the past week, according to MonsterCloud.


More information about the BreachExchange mailing list