New ‘DarkBit’ ransomware gang shuts down Technion, demands $1.7 million ransom

A cyber attack on the Israel Institute of Technology has brought to light the emergence of a potentially aggressive new ransomware gang, DarkBit.

The institute, known as Technion, was struck by a ransomware attack over the weekend during which hackers demanded an 80-Bitcoin ransom, equivalent to around $1.7 million (£1.4 million).

In the ransomware note, the group threatened to raise the ransom sum by 30% if the academic institution failed to pay the ransom in a 48-hour period.

The ransomware note was also littered with anti-Israeli government rhetoric, suggesting that the attack was politically motivated.

Believed to be a hacktivist operation, the likelihood of a victim paying DarkBit and then later receiving the decryptor is generally lower since the attack isn't believed to be wholly motivated by money.

“We’re sorry to inform you that we had to hack Technion network completely and transfer 'all' data to our secure servers,” the note read.

“So, keep calm, take a breath and think about an apartheid regime that causes troubles here and there.”

Technion confirmed it was dealing with a security incident in a statement online on Sunday 12 February, adding that it was working to determine the full scale of exposure.

“The Technion is under cyber attack. The scope and nature of the attack are under investigation,” the statement read, “To carry out the process of collecting the information and handling it, we use the best experts in the field, in the Technion and outside, and coordinate with the authorities.”

While the exact scale of the attack is yet to be disclosed, the university said in a follow-up statement that campus activity, including exams, would not be affected.

Who are DarkBit?

DarkBit appears to be one of the newest ransomware groups to emerge in recent months.

The identity of the group remains unclear, but given the politically charged language in the ransomware note left over the weekend, the group could be the latest sophisticated ‘hacktivist’ group to land on the scene.

In its Twitter bio, the group claims to be against “racism, fascism and apartheid”.

Hacktivist groups have wrought havoc on organisations globally and the subcommunity within cyber security has received special attention since the war in Ukraine broke out.

Pro-Russian hacktivist group, Killnet, for example, has claimed responsibility for a number of devastating attacks against public services in Ukraine since the onset of the conflict in February last year.

Earlier this month, the group launched attacks against more than a dozen US hospitals amidst its ongoing reprisal campaign against nations supporting the Ukrainian war effort.

Bogdan ‘Bob’ Botezatu, director of threat analytics at Bitdefender, told IT Pro that while hacktivism is far from a new trend, recent geopolitical events have resulted in a surge of hacktivist-related incidents.

“Hacktivism is known as a type of hacking to support civil, political, or religious causes. It has become chiefly consecrated with the advent of the Anonymous hacking group and has become more and more frequently used in the past few years as hacking groups affiliated with state actors have entered the scene,” he said.

“In the past year alone, since the start of Russia’s invasion of Ukraine, several hacking groups have openly offered their cyber crime expertise to support Russia’s cause by hacking into companies in countries part of NATO or the EU.”

Chris Hauk, consumer privacy champion at Pixel Privacy, noted that DarkBit’s ransomware demand message also warned Technion to “be careful when you decide to fire your employees, especially the geek ones”.

This comment, Hauk noted, could suggest that the attack could have been the result of revenge from a disgruntled former employee.

Hauk’s suggestion follows similar comments by security researcher, Dominic Alvieri, who tweeted yesterday that the group has “gone from hacktivist, to ransomware group, now to a disgruntled former employee all in one day.”