Days after DarkBit, a new threat group with a declared anti-Israel agenda, locked up the servers of Israel’s top technology school Technion University, researchers have traced the origins of its ransomware: a LockBit rip-off!
An analysis of the malware by the Cyble Research and Intelligence Labs (CRIL) revealed that it is a modified version of the well-known LockBit ransomware, with some additional features.
For example, encrypted files are given the “.DECODE_” extension, and the ransom note includes a unique URL for communication and negotiation with the threat actors.
According to the Twitter handle of the DarkBit group, the threat actors behind the ransomware attack are against any form of racism, fascism, and apartheid.
They promote the hashtag “HackForGood.” This suggests that the group may have political motivations and may be aligned with Pro-Palestinian activists who are critical of Israel’s policies towards Palestine.
DarkBit ransomware: The unsettling world of ransomware groups
The true identities and motives of the DarkBit ransomware gang remain unknown. While the tweet from the threat actor suggests that a disgruntled former employee may be behind the DarkBit ransomware attack, further investigation is necessary to uncover the truth.
Despite the uncertainty surrounding the TAs, the ransom note left by the DarkBit group indicates their political motivations and intentions.
The message contains allegations of apartheid, war crimes, and unjust termination of skilled employees. It’s possible that the group targeted Israel’s Technion university as a form of protest against Israel’s policies.
DarkBit Ransomware: A closer look at its technical analysis
DarkBit Ransomware is a type of destructive malware that targets Windows operating systems and encrypts files on the victim’s computer, demanding a ransom in exchange for the decryption key.
The ransomware uses multithreading to encrypt files, excluding certain file types, filenames, and directories, and uses a unique approach to encrypting large files by segmenting them into smaller parts.
DarkBit Ransomware drops a ransom note with instructions for victims to contact the attackers through TOX messenger and a TOR website. The attackers have imposed an additional 30% charge on the ransom amount and threatened to sell stolen data to the highest bidder if their demands are not met within five days.
DarkBit, ransomware, and geopolitics
Deviating from ransomware groups’ typical approach of using Telegram channels and leak sites, the DarkBit group has used social media platforms such as Twitter and Reddit to disseminate information about the Technion Ransomware attack.
This strategy suggests that the group is conducting an influence campaign that may be sponsored by a state, Alon Gal, co-Founder and CTO of Israeli cybercrime intelligence company Hudson Rock, told The Cyber Express earlier.
However, he added that it is to early to make an exact attribution about the ransomware group’s affiliation.
According to Gal, the campaign has two objectives: firstly, to breach the security of Israel’s prestigious technical university and thereby embarrass the country in terms of technology; secondly, to garner support from the Israeli population by portraying the hacker as a former tech employee seeking retribution against an unfair employer.