The Israeli insurance firm Shirbit managed to successfully recover about 90 percent of its systems during the first 24 hours of the cyberattack which saw its data breached and information on its clients leaked online. The company’s website, which has been down in recent days, is expected to go back online soon, the firm said Sunday.
The firm is already in the forensic stage of the attack, no simple task because the attackers deleted – among other things – the log files which documented their entrance and activities within the Shirbit systems.
Meanwhile, negotiations with the attackers continue. The current working assumption by the professional cyber teams working with Shirbit is that this is not a ransom attack with financial motives. The suspects were reluctant to negotiate with Shirbit which is common during such attacks.
The motivation for the attack remains unclear but a variety of explanations are discussed, ranging from revenge for a bad business deal or personal vendetta, to an ideologically motivated attack targeting Israeli organizations.
Shirbit has declared that over 2,000 documents have been leaked, including at least 130 ID cards belonging to their clients. The firm has already reached out to those whose information was compromised. Many times, the victims had no idea their information had made its way online.
An examination revealed that only three people had their personal credit card information published online - the cards have since been blocked. At this point, it is still unclear how the attackers broke in and what exactly was the vulnerability they exploited. Official government bodies are aiding the insurance firm.
The hackers managed to breach Shirbit’s computer network and steal large amounts of data – hundreds of megabytes, if not much, much more – from the company’s servers at the beginning of last week. They got their hands on employees’ pay slips, claims filed by customers – including insurance appraisers’ reports and hospital records, for example – as well as a large number of customer ID documents.
- Who's behind this week’s massive cyberattack – and why Israel should worry
- ‘You have 24 hours’: Hackers demand $1m ransom from Israeli firm
- ‘Ideological cyber terror’: Israeli firm refuses to pay hackers’ ransom
Since then, the attackers have been gradually leaking more and more of the information online, a technique known as “data dumping,” or just dumping. Every such dump exposes more personal information and makes the challenge of containing the breach that much harder. Dumps are also supposed to increase pressure on the victims to payout.
Only two days after the attack, the hackers sent a ransom note demanding 50 bitcoins – just shy of $1 million – in return for halting publication of the stolen information online. The hackers said they would double the ransom amount if it was not paid on time, and then triple it again after another 24 hours.
All the experts, including those actually involved handling the incident and who have seen all the materials and details, say that at this stage all signs indicate that the hackers don’t really want money. It seems that they are a group that began the campaign for ideological and anti-Israel reasons – and then discovered they had hit the jackpot.
The group demanding the ransom has not been identified from previous attacks. Usually, a group’s modes of operation or even the techniques they deploy can be used to attribute attacks to certain actors. However, the way this group - Black Shadow - is behaving is not like with other ransom cases. As a result, it seems to experts there is little reason to negotiate with them as even if the ransom is paid, it is far from certain that the group will cease dumping information online.
“The ‘manufacturers’ of ransomware have a reputation to maintain,” said attorney Jonathan Klinger, who specializes in internet and information law, about what is termed in the industry as threat actors, or hacker teams. “Every such organization has a history and knows that if they are paid they will not release the files they stole – otherwise they will lose their credibility and thus the ability to get paid next time.”
The Shirbit attackers, on the other hand, seem to want to sow destruction and create a PR embarrassment for the Israeli company. They could be amateurs, but they also could be a group with a foreign country behind them, too. For now, the former is the more common assessment.