The Tel Aviv Magistrates Court ordered on Wednesday internet providers and search engines to block access to the Black Shadow and the content it has leaked from Israeli companies, as Israeli authorities continue to work to limit the damage caused by the ransomware attack.
The court also ordered that the personal information that was leaked be removed.
Despite Telegram deleting Black Shadow's channel on Tuesday, the hacker group was able to open a new channel later in the day and has since leaked even more data from 103FM radio, the Trip Guaranty travel insurance company, Locker Ambin furniture company, the Mor Institute for medical data and the Tacy jewelry company.
The newly leaked data includes flight details, addresses, emails and birth dates, among other details.
On Tuesday, Black Shadow leaked profile data from hundreds of thousands of users of "Atraf," following up on threats to do so should their desired ransom of $1 million not be met.
The hackers, who broke into web hosting company Cyberserve's servers and have since been threatening to release data from Atraf, as well as Dan bus company and tour booking company Pegasus, who were clients of Cyberserve's and had their data stored on their servers.
The hackers had previously threatened to leak the data obtained from the database of the gay dating app, which it obtained during its attack on Cyberserve, after a 48-hour deadline it had set to meet its demand for $1 million passed on Tuesday.
The file was blocked by the site hosting it shortly after Black Shadow published the link, but has since been republished at a functioning link.
The latest attack was announced by the group on Friday, with Black Shadow claiming it had damaged the servers. Cyberserve is a web hosting company, meaning it provides servers and data storage for other companies across industries. The data seized by the hackers is from a wide variety of businesses, from travel booking and bus companies to the Israeli Children’s Museum.
“Under no circumstances should you submit to the demands of the attackers,” stressed the director-general of the Israel Internet Association, Yoram Hacohen, on Sunday in response to Black Shadow’s demands.
“There is no guarantee that if the amount is paid the information will not be published and, more importantly, such a surrender will lead to further and increased attacks due to what is perceived by them as an achievement,” he warned. “Moreover, if private surfers receive messages with demands for payment of ransom they must immediately report it to the police and not take any action beyond that.
“What needs to be done now is to refine online safety and privacy regulations and provide all the support, physically and mentally, to those about whom the information has been revealed,” Hacohen said.
Black Shadow is responsible for previous attacks against Israeli companies, such as vehicle insurance company Shirbit and finance company KLS. In those attacks, the companies affected claimed that the group was Iranian, despite cybersecurity experts rejecting the claims.
Yigal Unna, head of the National Cyber Directorate, told Army Radio on Sunday that Black Shadow appears to be a criminal group with an “anti-Israeli scent,” adding that “it could be because they’re of one origin or another, but it is not fundamentally different from what is happening all over the world.”
"My position has been very reasoned out for years - don't pay and don't negotiate. It is unnecessary, it is useless," said cybersecurity consultant Einat Meyron on Tuesday.
"The information is in any case leaked and sold on other channels, on the darknet, where shaming lists of companies that paid the ransom even though they were promised that they would not be revealed are also published. That in itself should be enough, but when you also see the quality of the conversation that the attacker has with the negotiator, it is difficult not to understand the attacker," said Meyron.
"With an average cost of $7000-$9000 per negotiator, for two or three days, it is already better to transfer the money to a charity that does good. At least that way there is a chance that karma will be considered," added the consultant.
Meyron stated on Saturday in response to the most recent Black Shadow attack that “the identity of the attacking group is a little less important.
“On the part of the attacked companies – for insurance and reputation reasons – it is clear that they will want to attribute the attack to Iran," she said. "In practice, there is no need to make it easier for attackers by refraining from exercising basic defenses.”
The cybersecurity consultant additionally stressed that “it is necessary to prove beyond any doubt that this is an Iranian group. And it is neither trivial nor significant because of the effect of the slander – and because an Iranian attribution does not necessarily indicate it was an ‘Iranian mission.’”
Meyron further explained that it is unlikely that a group working for the Iranian regime would “waste energy” on records from random sites, but rather would aim to cause significant damage to crucial infrastructure.
The Cyber Unit at the Office of the State Attorney announced that it was continuing to act against Black Shadow and had contacted Google in order to have access blocked to the hacker group's website and that Telegram had blocked two more channels belonging to the group.
"The director of the Cyber Unit at the Office of the State Attorney, Dr. Haim Wismonsky, stated that the department will continue to work to reduce and disrupt the activities of cybercriminals in order, among other things, to protect the privacy and security of the state's citizens in cyberspace," said the Cyber Unit.