Black Shadow hackers demand $1 million in order to not leak data

The Black Shadow hackers have demanded $1 million, threatening to leak data if the ransom is not paid

Projection of cyber code on hooded man (llustrative) (photo credit: REUTERS/KACPER PEMPEL/ILLUSTRATION TPX IMAGES OF THE DAY)
Projection of cyber code on hooded man (llustrative)

The hacker group Black Shadow demanded on Sunday that $1 million be paid to it within 48 hours, or it would leak or sell the rest of the information it collected from the database of the gay dating app Atraf.

In its latest attack on an Israeli company, Black Shadow leaked data from a number of companies serviced by the Israeli Internet company Cyberserve, including Atraf, the Kavim and Dan bus companies and the tour booking company Pegasus.

The latest attack was announced by the group on Friday, with Black Shadow claiming it had damaged the servers. Cyberserve is a web hosting company, meaning it provides servers and data storage for other companies across industries. The data seized by the hackers includes a wide variety of businesses, from travel bookings company Pegasus to the Dan bus company and even the Israeli Children’s Museum.

Black Shadow claimed on its Telegram channel on Sunday that neither government officials nor Cyberserve contacted them about their ransom demand, so they had decided to allow the public to provide the $1 million ransom they were demanding. “It is obvious this is not an important problem for them,” said the group. “We know everybody is concerned about ‘Atraf’ database. As you know we are looking for money.”

The group promised that if it got the ransom, it would not leak the information of about one million people it had collected from Atraf. The group did not make any promises about any of the other data it had collected.

 The National Cyber Directorate in Jerusalem (credit: MARC ISRAEL SELLEM/THE JERUSALEM POST) The National Cyber Directorate in Jerusalem (credit: MARC ISRAEL SELLEM/THE JERUSALEM POST)

“Under no circumstances should you submit to the demands of the attackers,” stressed the director-general of the Israel Internet Association, Yoram Hacohen, on Sunday in response to Black Shadow’s demands.

“There is no guarantee that if the amount is paid the information will not be published and more importantly such a surrender will lead to further and increased attacks due to what is perceived by them as an achievement,” warned Hacohen. “Moreover, if private surfers receive messages with demands for payment of ransom they must immediately report it to the police and not take any action beyond that.”

“What needs to be done now is to refine online safety and privacy regulations and provide all the support, physically and mentally, to those about whom information has been revealed,” added Hacohen.

The Agudah – The Association for LGBTQ Equality in Israel and the Israel Internet Association advised those affected by the cyberattack to make sure to change their usernames and passwords and to use strong passwords. The two stressed that in any incident of ransom demands or blackmail, those affected should contact the Israel Police.

“The natural human tendency may succumb to the demands of the attackers, but past experience shows that there is no guarantee that the personal content will be removed. Moreover, it is an opening that may lead to additional ransom demands,” stressed the two organizations. They also advised those affected to notify social media platforms if their information is published on social media.

Those affected in the lesbian, gay, bisexual and transgender community can contact a hotline set up by the Agudah between the hours of 5 p.m. and 7 p.m. and between 7:30 p.m. and 10:30 p.m. Sunday through Thursday at *2982 and on WhatsApp at 058-620-5591.

Black Shadow is responsible for previous attacks on Israeli vehicle insurance company Shirbit and finance company KLS. In its previous attacks, the companies affected claimed that the group was Iranian, despite cybersecurity experts rejecting the claims.

Yigal Unna, the head of the National Cyber Directorate, told Army Radio on Sunday that Black Shadow appears to be a criminal group with an “anti-Israeli scent,” adding that “it could be because they’re of one origin or another, but it is not fundamentally different from what is happening all over the world.”

Cybersecurity consultant Einat Meyron stated in response to the most recent Black Shadow attack that “the identity of the attacking group is a little less important.

“On the part of the attacked companies – for insurance and reputation reasons it is clear that they will want to attribute the attack to Iran. In practice, there is no need to make it easier for attackers by refraining from exercising basic defenses,” added Meyron.

The cybersecurity consultant additionally stressed that “it is necessary to prove beyond any doubt that this is an Iranian group and it is neither trivial nor significant because of the effect of the slander and because an Iranian attribution does not necessarily indicate it was an ‘Iranian mission.’”

Meyron further explained that it is unlikely that a group working for the Iranian regime would “waste energy” on records from random sites, but rather would aim to cause significant damage to crucial infrastructure.

In December, in response to the Shirbit cyberattack, Zohar Pinhasi, CEO of cyber security service MonsterCloud, told The Jerusalem Post that the claims that Black Shadow wanted to strategically harm Israel and is not looking for money were “nonsense.”

“This claim is repeated in every sector that is attacked and in every country. The hack is almost always first and foremost a ransom attack and on a financial basis. This is also the case in the Shirbit attack,” said Pinhasi, who is also a former IT security intelligence officer in the IDF.

“Pandora’s box has opened and now the company is trying to downplay the severity of the hack and frame it as a matter of ‘national security’ to prevent damage to their reputation and come out as alright with the regulator and customers.”

Ben Zion Gad contributed to this report.