Technion University targeted by DarkBit ransomware group.

Technion University in Haifa, Israel, fell victim to a ransomware attack that forced the shutdown of all of the school’s communication networks on Sunday, the Jerusalem Post wrote. A new ransomware group, “DarkBit,” has claimed responsibility for the cyberattack, ARN reported today.

The emerging DarkBit gang’s ransom demands.

ARN reports that the Haifa-based university tweeted Sunday, “The Technion is under cyber attack. The scope and nature of the attack are under investigation.” The group behind the attack, DarkBit, is asking for 80 Bitcoin, or approximately $1,729,320 from the university, with a threatened 30% increase in the demand if the ransom is left unpaid for forty-eight hours. DarkBit appears to be motivated by anti-Israeli or pro-Palestinian sentiment. The group said, in a statement shared by Israeli cyber professional Alon Gal:

“We’re sorry to inform you that we’ve had to hack Technion network completely and transfer all data to our secure servers. So, keep calm, take a breath and think about an apartheid regime that causes troubles here and there.

“They should pay for their lies and crimes, their names and shame. They should pay for occupation, war crimes against humanity, killing the people (not only Palestinians’ bodies but also Israelis' souls) and destroying the future and all dreams we had. They should pay for firing high-skilled experts.”

Israeli government involvement.

The Israeli National Cyber Directorate (INCD) confirmed that they were connecting with Technion University administrators “to get a full picture of the situation, to assist with the incident and to study its consequences,” the Jerusalem Post reported Sunday. "The field of higher education has been a central target for cyber attackers, with the INCD identifying 53 [serious] incidents of such attacks in 2022, most of which were prevented.”

Industry comment on the Technion attack, and ransomware in the educational sector.

Jon Miller, CEO and cCo-fFounder of Halcyon, discusses how ransomware will continue to be pervasive in education and how the tools we have in place may not be effective against ransomware threats:

“Ransomware operators continue to prioritize the education sector because of its treasure trove of personally identifiable (PII) and financial information that can be leveraged for identity theft and other crimes. These gangs use double extortion schemes by encrypting the network as well as exfiltrating and threatening to leak data to put more pressure on their targets to pay even higher ransoms.

“Even with a robust cyber program and data backups to assist in recovery efforts, organizations face additional risk from the exposure of internal communications, trade secrets, R&D assets, intellectual property and more.

“Legacy antivirus, NGAV and EDR tools, while still very useful, were simply not designed to address the unique threat that ransomware presents. This is why we keep seeing destructive ransomware attacks circumvent these general application solutions.

“During a ransomware attack, the malicious code may perform multiple checks before executing to avoid analysis or victimizing unintended targets. These features can be exploited by aggravating the payload and forcing the ransomware to react defensively to avoid detection and reveal itself.

“Remember, the encryption routine that disrupts victims' systems occurs at a late stage in the attack. There are potentially weeks of detectable activity on the network where the attack can be arrested if the security apparatus is specifically tuned to detect and respond to these early signals rather than focusing only on detecting and blocking the ransomware payload at the end of an attack where you only get one chance for success.”