Anti-Israel Hackers Spreading New Form of Malware With anti-Israel Messages

Unlike regular ransomware, this malware offers no option to recover files in exchange for payment

A man works at a computer (illustrative).
STEVE MARCUS/REUTERS

Israeli researchers have come across a new form of malware that is apparently being disseminated by anti-Israel hackers and works like ransomware.

But unlike ransomware, which generally offers an option to unlock one’s encrypted files in exchange for payment in Bitcoin or some other digital currency, this program spreads anti-Israel propaganda and damages the computer without allowing the files to be restored.

Ari Eitan, the director of research at the cybersecurity firm Intezer, explained to Haaretz that the new software doesn’t work like traditional ransomware. “It’s not exactly encryption. It simply totally changes the files’ content,” he said.

The contents of the files are replaced with a message in poorly written Hebrew and English. The English says, “Fuck-israel, {USERNAME} You Will never Recover your Files Until Israel disepeare,” while the garbled Hebrew says that the person’s files will be restored “when we can restore our victims, our souls, our freedom; when we heal Palestine and can recover Al-Aqsa.” Somewhere in the messy Hebrew the creator added the line “Screwed forever,” presumably referring to the files.

Eitan noted that the malware is fairly amateurish, “and seems to scan only some of the files. The files on the Desktop change completely, and the same with files in the Downloads directories. But a file stored in Program Files remains totally intact, even after [the malware] runs.”

Ido Naor, a senior researcher at Kaspersky Lab, another cybersecurity company, examined the malware’s code and found that the software crashes if you put an empty file named ClickMe.exe into the computer’s Temp directory.

“We can only guess where the virus came from and to what degree it has succeeded in spreading itself,” said Eitan. “It seems from the content that it’s aimed at attacking Israelis and according to the VirusTotal website, it has been in existence a little less than two weeks. What’s no less interesting is that it was first uploaded there from the United States.”

VirusTotal (now owned by Google) brings together dozens of antivirus software engines to analyze suspicious files. The first upload of the virus from the United States may merely indicate that someone first noticed the infection there. But various security researchers have said in the past that malware creators often upload their programs to VirusTotal to see if they will be identified by antivirus software.