Black Shadow leaks more data after deadline passes

The hacking group leaked more data from a gay dating app after its demand for ransom was not met within 48 hours.

 A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017.  (photo credit: REUTERS/KACPER PEMPEL/FILE PHOTO)
A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017.
(photo credit: REUTERS/KACPER PEMPEL/FILE PHOTO)

Hacker group Black Shadow has leaked profile data from hundreds of thousands of users of "Atraf," following up on threats to do so should their desired ransom of $1 million not be met by Tuesday. 

The hackers, who broke into web hosting company Cyberserve's servers and have since been threatening to release data from Atraf, as well as Dan bus company and tour booking company Pegasus, who were clients of Cyberserve's and had their data stored on their servers. 

Many victims had their personal details leaked and were effectively outed by the hackers, as Ch, a young man in his twenties from Tel Aviv, told Ynet. "It's awful to break into my personal space and threaten to reveal my correspondence and pictures. I hide my sexual orientations, and my family and friends know nothing. It's very problematic for me, and I'm really helpless these days and do not know what to do."

The hackers had previously threatened to leak the data obtained from the database of the gay dating app, which it obtained during its attack on the Israeli Internet company Cyberserve, after a 48-hour deadline it had set to meet its demand for $1 million passed on Tuesday.

"The file was blocked by the site hosting the files shortly after Black Shadow published the link to the data."

"48 hours ended! Nobody send us money. They try to chat us, we will show you our chats. Data will be uploaded soon. But this is not the end, we have more plan," the hacker group wrote in broken English on its Telegram channel.

In its latest attack on an Israeli company, Black Shadow leaked data from a number of companies serviced by Cyberserve, including Atraf, the Kavim and Dan bus companies and the tour booking company Pegasus.

The latest attack was announced by the group on Friday, with Black Shadow claiming it had damaged the servers. Cyberserve is a web hosting company, meaning it provides servers and data storage for other companies across industries. The data seized by the hackers is from a wide variety of businesses, from travel booking and bus companies to the Israeli Children’s Museum.

The group promised that if it got the ransom, it would not leak the information of about a million people it had collected from Atraf. The group did not make any promises about any of the other data it had collected.

In screenshots of chats Black Shadow claims it had with representatives of the company, one of them offered the group $250,000 in bitcoin and asked that they not tell others that they had received the money.

In response, the group stressed that they had the information of a million people and that the ransom could be paid if each person contributed a dollar, with the alleged representative responding that the offer the company had made was its only offer.

"Do u really want to mess up with [the] Israel government, because this will end badly for u," wrote the alleged representative, who continued to ask the group what they would gain from releasing the info.

BLACK SHADOW stated that it would "get attention" by releasing the data. The representative warned the group that Israeli "cyber crime investigators" would come after the group and that they would get no money if they didn't accept the offer, which they raised to $350,000 in bitcoin.

The screenshot conversation was conducted in broken English. Black Shadow ended the conversation by saying that the representative's "friend" had said "nobody cares," without clarifying who the referred to "friend" was.

Cyberserve stressed on Tuesday in response to the claims by Black Shadow that the chat was not conducted by the company, nor by a representative working on its behalf, adding that it has not conducted and is not conducting negotiations with the attackers.

“Under no circumstances should you submit to the demands of the attackers,” stressed the director-general of the Israel Internet Association, Yoram Hacohen, on Sunday in response to Black Shadow’s demands.

“There is no guarantee that if the amount is paid the information will not be published and, more importantly, such a surrender will lead to further and increased attacks due to what is perceived by them as an achievement,” he warned. “Moreover, if private surfers receive messages with demands for payment of ransom they must immediately report it to the police and not take any action beyond that.

“What needs to be done now is to refine online safety and privacy regulations and provide all the support, physically and mentally, to those about whom information has been revealed,” Hacohen said.

THE ISRAEL Internet Association and the Agudah – The Association for LGBTQ Equality in Israel – advised those affected by the cyberattack to make sure to change their usernames and passwords and to use strong passwords. The two stressed that in any incident of ransom demands or blackmail, those affected should contact the Israel Police.

 People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. Picture taken December 27, 2014. (credit: REUTERS/DADO RUVIC/FILE PHOTO) People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. Picture taken December 27, 2014. (credit: REUTERS/DADO RUVIC/FILE PHOTO)

“The natural human tendency may be to succumb to the demands of the attackers, but past experience shows that there is no guarantee that the personal content will be removed. Moreover, it is an opening that may lead to additional ransom demands,” stressed the two organizations. They also advised those affected to notify social media platforms if their information is published there.

Those affected in the lesbian, gay, bisexual and transgender community can contact a hotline set up by the Agudah Sunday through Thursday evenings from 5:00-7:00 again from 7:30-10:30 at *2982 and on WhatsApp at 058-620-5591.

Black Shadow is responsible for previous attacks against Israeli companies, such as vehicle insurance company Shirbit and finance company KLS. In those attacks, the companies affected claimed that the group was Iranian, despite cybersecurity experts rejecting the claims.

Yigal Unna, head of the National Cyber Directorate, told Army Radio on Sunday that Black Shadow appears to be a criminal group with an “anti-Israeli scent,” adding that “it could be because they’re of one origin or another, but it is not fundamentally different from what is happening all over the world.”

"My position has been very reasoned out for years - don't pay and don't negotiate. It is unnecessary, it is useless," said cybersecurity consultant Einat Meyron on Tuesday.

"The information is in any case leaked and sold on other channels, on the darknet, where shaming lists of companies that paid the ransom even though they were promised that they would not be revealed are also published. That in itself should be enough, but when you also see the quality of the conversation that the attacker has with the negotiator, it is difficult not to understand the attacker," said Meyron.

"With an average cost of $7000-$9000 per negotiator, for two or three days, it is already better to transfer the money to a charity that does good. At least that way there is a chance that karma will be considered," added the consultant.

Meyron stated on Saturday in response to the most recent Black Shadow attack that “the identity of the attacking group is a little less important.

“On the part of the attacked companies – for insurance and reputation reasons – it is clear that they will want to attribute the attack to Iran," she said. "In practice, there is no need to make it easier for attackers by refraining from exercising basic defenses.

The cybersecurity consultant additionally stressed that “it is necessary to prove beyond any doubt that this is an Iranian group. And it is neither trivial nor significant because of the effect of the slander – and because an Iranian attribution does not necessarily indicate it was an ‘Iranian mission.’”

Meyron further explained that it is unlikely that a group working for the Iranian regime would “waste energy” on records from random sites, but rather would aim to cause significant damage to crucial infrastructure.

The Cyber Unit at the Office of the State Attorney announced that it was continuing to act against Black Shadow and had contacted Google in order to have access blocked to the hacker group's website and that Telegram had blocked two more channels belonging to the group.

"The director of the Cyber Unit at the Office of the State Attorney, Dr. Haim Wismonsky, stated that the department will continue to work to reduce and disrupt the activities of cybercriminals in order, among other things, to protect the privacy and security of the state's citizens in cyberspace," said the Cyber Unit.