Shirbit hackers release more data as company refuses to pay ransom

Medical information, checks and pay stubs were among the customer information released.

Hacker in a hood (photo credit: INGIMAGE)
Hacker in a hood
(photo credit: INGIMAGE)
The Black Shadow group behind the cyberattack against the Shirbit insurance company released more documents containing the personal information of its employees and customers over the weekend, as the company refused to pay the ransom demanded by the group.
On Saturday morning, the hackers released a large collection of documents, including screenshots of WhatsApp conversations, ID cards, marriage certificates and financial documents. Black Shadow also posted a message reading "Shirbit... THE END!" on their Telegram channel without explaining what the message meant.
The newest leak came after material including pictures of employees, ID cards and medical documents was released on Friday.
“Shirbit company did not pay the money till now,” wrote Black Shadow on their Telegram channel on Friday. “It seems the customers, employees and civil servants data leak is insignificant for them.”
On Friday morning, Shirbit announced that it does not intend to meet the hacker group’s demand for payment, Israeli media reported. The company said it will “not give in” to threats.
Black Shadow warned that they still have dozens of terabytes of data to leak. The hackers also released screenshots of the conversation between them and a representative of Shirbit conducting negotiations.
The hacker group told the representative on Thursday night that they would need to pay 50 Bitcoin to stop the leaks and that Shirbit would “have to trust” that the hackers would keep their word. The hackers additionally warned that “many people,” including intelligence services were interested in the data. The negotiations did not end with a resolution and the hackers released more data on Friday.
Despite the thousands of documents leaked by Black Shadow over the past few days, Shirbit continued to insist on Saturday that only a “relatively small” number of documents were leaked and that the decision not to pay the ransom was not from "financial considerations, but rather for the good of the customers," according to Israeli media.
Shirbit additionally claimed that the attack is aimed at embarrassing both the company and the entire Israeli economy, and is not an extortion attempt.
On Wednesday night, Black Shadow demanded that Shirbit send 50 bitcoin ($961,110) to their bitcoin wallet within 24 hours or else they would leak more information. The group warned that if the money was not sent, the ransom demand would rise to 100 bitcoin. If another 24 hours pass, the demand will rise to 200 bitcoin.
“After that we will sell the data to the others,” warned the hackers, adding that they will leak some more data at the end of every 24 hours.
Although the National Cyber Directorate only announced the attack on Tuesday morning, the hacker group posted the first leaked documents on a Telegram channel on Monday evening. Since then, they have published several large collections of files containing the private information of customers and employees.
The company reportedly has many government employees among its clients, including Gilad Noitel, president of the Tel Aviv District Court.
Zohar Pinhasi, CEO of the ransomware removal and cyber security service MonsterCloud, told The Jerusalem Post that the claims that Black Shadow wants to strategically harm Israel and is not looking for money are “nonsense.”
“This claim is repeated in every sector that is attacked and in every country. The hack is almost always first and foremost a ransom attack and on a financial basis. This is also the case in the Shirbit attack,” said Pinhasi, who is also a former IT security intelligence officer in the IDF.
“It’s important to clarify this: No government or security body will be able to stop it,” claimed Pinhasi.
“The Pandora’s box has opened and now the company is trying to downplay the severity of the hack and frame it as a matter of ‘national security’ to prevent damage to their reputation and come out as alright with the regulator and customers,” he said.
“The company hopes that the public and customers will buy it, but they are wrong.”
The cybersecurity expert added that the conversations leaked by Black Shadow show that Shirbit’s representative “has zero experience in negotiating with such attackers.”
“This is another big mistake by Shirbit,” said Pinhasi. “The first rule when communicating with hackers in the field of cyber terrorism is to minimize the interaction, as they cannot be trusted. The fact that they brought the issue of “trust” to the negotiations also proves that Shirbit’s representative has no experience in negotiating in such cases.”
The CEO stressed that a cyber terrorism expert is needed in such situations, not just a security expert. “Anyone who does not have specific experience and training for such cases will do more harm than good – and we are seeing the results now.”
Shirbit stated on Saturday that it had hired “the best experts in the country in the fields of cyber and customer security,” according to Israeli media.
Pinhasi warned that “if the materials fall into the wrong hands, it will be possible to use them against the State of Israel. Now the attackers are threatening that if [Shirbit] does not pay the ransom, they will send the stolen materials to a kind of site designated for leaks, which they did.”
Despite stating that he believes a state actor is not behind the hack, the CEO added that he believes that the attackers are from Iran, but that this cannot be confirmed as of yet. 
An official involved in the investigation told Channel 12 on Friday that it seems more likely that a state is behind the attack, not a private group, despite reports that at least one of the attackers may be from or in Israel.
The attack comes amid a spike in ransomware attacks against insurance companies, with dozens of insurance companies in the US reporting ransomware attacks in just the past week, according to MonsterCloud.
Jerusalem Post Staff contributed to this report.