Last Friday’s family dinner started like any other. My grandmother stealthily running around the kitchen adding some finishing touches to her amazing dishes, while her children and grandchildren gradually arrive. Meeting once a week (or two) for a Friday dinner is customary for traditional Israeli families (and let’s face it, Israel is so small that no matter where you live – it’s still no more than a few-hour drive from your family). As we started moving delicious-smelling food from the kitchen to the dining room, my family asked me excitedly (and a bit worriedly) – “Did you hear about the Shirbit cyber attack? They got attacked with a ransom malware, have you heard of those?”.
Now I’ll take a moment to set the background for this – my long-time romance with ransomware started in 2016, when Locky and TeslaCrypt were on the loose. I was super interested in the psychological concept and possibilities of a malware that takes something that is valuable to its victim hostage, and is willing to return it in exchange for a ransom payment. After researching the subject and its history for some time, I would fly to the U.S. every once in a while to give talks at cybersecurity conferences about the evolution of ransomware. I’ve also recently written an extensive guide on ransomware history and protection from this threat type, which can be found here.
So imagine me standing next to my uncle, to whom I have explained what I do and what I research endless times, shocked that until today my stories from work had not fully registered with my family. At first I was a little disappointed, thinking that maybe they had been nodding and smiling, but not necessarily listening to my work talk... but then another thought came to mind – maybe ransomware is precisely the type of subject that just doesn’t register with (non-security) people until it hits home.
And that’s exactly what happened – on December 1, Shirbit Insurance, an Israeli insurance giant was hit with ransomware by Black Shadow group. Their request? 50 bitcoins, almost one Million dollars. Black Shadow also made it very clear that if Shirbit do not pay the ransom within 3 days, they will leak some of their data online, including customer data. Among the insurer’s customers is the Israeli government which, according to media reports, has stated that it will reconsider using Shirbit’s services. Since the attack last Tuesday, Black Shadow has upped the ransom price to 200 bitcoins, or 3.8 Million dollars. The hackers also leaked data stolen from Shirbit on Telegram starting Friday morning, including a screenshot of an alleged WhatsApp negotiation they had with a Shirbit worker on behalf of the CEO, after the company had publicly stated that they “will not give in to this kind of terrorism”.
There is no doubt that this ransomware attack has crippled Shirbit Insurance. Just a few days ago, they were an industry leader providing services to many Israeli businesses and even the government. But after such a public attack, including the leaked data controversy and a possible compromise of enormous amounts of personal data, the public is waiting to see what fate has in store for the giant that fell off its horse – and to their stolen data. The Israel National Cyber Directorate (INCD) has issued a statement that victims of the ransomware attack and breach on Shirbit should consider obtaining new identity cards and driver’s licenses.
Shirbit Insurance has become the face of ransomware in Israel, and that image is going to be hard to shake. The cost of a ransomware attack is usually much higher than the ransom price, it includes businesses loss during the days of the attack and negotiations, lost customers due to breached trust, IT support during the attack, data recovery, customer compensations, and security upgrades. The best way to prevent a ransomware attack is to protect yourself from the initial infection, if it can’t get to you, it won’t get your data. The second best is to prevent infected devices from communicating with the attacker's command and control infrastructure to stop the attack from progressing to where damage is done. Make sure you use a security solution that integrates threat intelligence data about ransomware from a variety of sources, and that's capable of blocking ransomware traffic at the gateways.
For more information about ransomware, see the articles below: