Ransomware hits Technion university to protest tech layoffs and Israel

A new ransomware group going by the name 'DarkBit' has hit Technion - Israel Institute of Technology, one of Israel's leading research universities.

The ransom note posted by DarkBit is littered with messaging protesting tech layoffs and promoting anti-Israel rhetoric, as well as the group demanding a $1.7 million payment.

Technion Institute is battling cyber attack

Technion Institute of Technology, one of the Israel's leading public research universities, has been hit by a cyber attack this week.

The Haifa-based academic institution is currently carrying out incident response activities to determine the scope and cause of the attack.

"The Technion is under a cyber attack. The scope and nature of the attack are under investigation," the university said in a statement released in Hebrew.

"To carry out the process of collecting the information and handling it, we use the best experts in the field, both within The Technion and outside, and coordinate with the relevant authorities. The Technion has proactively blocked all communication networks at this stage."

A ransom note from the new 'DarkBit' ransomware group was left on the university's systems, where the attackers demanded 80 Bitcoin or roughly US$ 1,745,200 to release the decryptor to the university.

The date seen on the PC in the image above indicates the attack occurred on or before February 12th, 2023.

BleepingComputer also observed, at this stage, the Institute's websites are inaccessible—likely after the university blocked all network access amid the attack.

While Technion's cyber systems may be impacted, the university's campus operations continue as normal.

"The work day tomorrow on campus will proceed as usual, with the exception of the postponed exams," says the Institute. 

"The instructions published in the morning regarding participation in public activities due to a day off remain unchanged. We will continue to update when we have more information."

Hours after this article was published, the university released a lengthy update [English version] calling the cyber attack "challenging" and a "complex event" that will take time to recover from.

Although technical computing systems—including Office 365, Zoom and Panopto are gradually being restored, the incident response is ongoing.

נמשיך ונעדכן ככל שמערכות נוספות יחזרו לפעול.

בראש סדר העדיפויות עומדים הסטודנטים והסטודנטיות שלנו, הנמצאים כעת בתקופת בחינות. לאור המצב נאלצנו לדחות את הבחינות שתוכננו להיום (ב') ולמחר (ג'). מיום ד' הקרוב (15.2.23) יתקיימו הבחינות כסדרן.

— Technion Israel (@TechnionLive) February 13, 2023

Who is 'DarkBit' anyway?

A threat actor, disgruntled employee, pro-Palestinian activist, or all of these? 

The unheard of 'DarkBit' gang has sprung up this week and its whereabouts are yet to be known. The attackers, however, drop a few hints about their objectives in both the ransom note, and their Twitter and Telegram channels.

DarkBit's stance against "racism, fascism and apartheid" may cause their activities to be considered hacktivism at a first glance but the group's motives seem multi-faceted.

From the use of #HackForGood hashtag in its Twitter bio to anti-Israel messages seen in the ransom note, as well as the group calling out tech layoffs, it's hard to categorize DarkBit just yet.

While attacking Israel for being an "aparheid regime," DarkBit attackers want to make them pay for "war crimes against humanity" and "firing high-skilled experts."

"A kindly advice to the hight-tech companies: From now on, be more careful when you decide to fire your employees, specially the geek ones [sic]," DarkBit said in a subsequent tweet.

Depending on how one interprets the wording, the attack seems to be DarkBit's way of taking revenge for layoffs that may have involved its members.

The threat actors seem to imply that laying off highly technical employees without doing due diligence could pose a threat to an organization's security posture. Some laid off (and disgruntled) employees may have insider knowledge enabling them to acquire easier access to an organization's computer networks even after termination.

"DarkBit has gone from hacktivist, to ransomware group now to a disgruntled former employee all in one day," comments cybersecurity analyst Dominic Alvieri.

The group has threatened to impose a 30% penalty on top of an already-significant ransom demand should the university not agree to pay up. Additionally, the attackers warn they'd be putting up any stolen data for sale after five days.

BleepingComputer continues to monitor the situation and we will post updates as the development progresses.

Update, Feb 13th, 11:56 AM ET: Added updated statement from the university.