Threat intelligence on DarkBit’s Technion attack


The recently reported ransomware attack on Technion University in Israel brings attention to a new ransomware group, something that is expected to be a trend in ransomware this year. As many large ransomware gangs, like Conti, splintered last year, new groups are rising up.

In this case, the group that claimed responsibility for the reported attack is DarkBit. They are a very new group that only announced themselves this month.

DarkBit has been reported to be asking for the equivalent of more than $1.7 million USD in Bitcoin for the files. That amount seems like an implausible ransom demand for the education sector and current trends. The education sector is usually not-for-profit with limited budgets. At the same time, average ransom demands have dropped as many groups moved away from ‘big game hunting’ tactics.

BlueVoyant has reviewed the group’s announcement of the attack, the ransom note, Twitter profile, and negotiation website and DarkBit seems to be ideologically motivated. The speed of the attack’s announcement plus comments in the ransom note, Twitter profile, and negotiation site suggest ideological motivations, rather than financial. In addition, a recent Telegram post makes ideological motivations highly likely. The ransomware note suggests that the group could plausibly be made up of recently laid off tech employees. The note mentions layoffs of highly skilled employees a few times, a complaint that stands out from an otherwise anti-Israeli message.

DarkBit’s leak site is also currently empty. We cannot say yet if this attack was the group’s sole purpose or if they will continue on, though the infrastructure seen so far is typical of a new group with the intent of establishing an ongoing operation. The group is claiming that they stole data and will be posting it in a few days.

So far, there is not much information about the attack itself, so we can’t comment on the apparent skill level. Universities are typically regarded as moderately soft targets however because of distributed networks with many users and limited budgets. Groups such as PYSA and others have deliberately targeted schools and universities in the past because of this.