Threat actors are extorting an Israeli insurance company by demanding almost $1 million in bitcoin to stop leaking the company’s stolen data.
On Monday, a cybercrime group calling themselves ‘BlackShadow’ tweeted that they hacked into the Israeli Shirbit insurance company and stole files during the attack.
“A huge cyberattack has been taken place by Black Shadow team. There has been a massive attack on the network infrastructure of Shirbit Company, which is in israel economic sphere,” the threat actors tweeted.
Since then, the threat actors has been steadily leaking the victim’s documents and images on a Telegram channel they created for this purpose. This stolen data includes documents, email PST files, scanned documents, audio recordings, and images of passports.
Last last night, the threat actors finally posted a ransom demand stating that Shirbit had 24 hours to send 50 bitcoins, or approximately $1 million, and they would stop leaking their data. The attackers warned that they would continue to leak data every 24 hours if they are not paid.
At the time of this writing, the bitcoin address 13YiK3qHxTdGcD6nfCf7vWXFgWXnbpJvy2 has not received any payments.
Security firms warn against ransom payment
Israel cybersecurity firm Profero believes that this ransom demand is nothing more than a publicity stunt and that the attackers have no plans to stop leaking data if paid.
While attribution for these attacks has not been made, there has been increased cyberattacks between Israel and Iran lately.
In October, a report by Profero and ClearSky Cyber Security details how an Iranian threat actor known as ‘MuddyWater,’ and linked to the IRGC (Islamic Republic Guard Corps), was planning destructive attacks against Israeli interests in September.
It is believed that MuddyWater planned on utilizing phishing emails or exploit the CVE-2020-0688 Microsoft Exchange vulnerability to deploy fake Google Updaters called ‘PowGoop.’ When installed, PowGoop would deploy the Thanos Ransomware (Hakbit) on victim’s devices.
Thanos ransomware is promoted on Russian-speaking hacking forums as a ransomware-as-an-affiliate service (RaaS) where affiliates get a custom ransomware builder. In return, the developers earn 30% of all ransom payments.
The Israeli cybersecurity firms could prevent MuddyWater’s attacks in September, but further cyberattacks have been expected.