Israels Top Tech University Targeted by DarkBit Ransomware

An Israeli university is being blackmailed by hackers. However, they arent just after money but are looking to send a political message — and maybe something more.

Israels top technology school, Technion Israel Institute of Technology (IIT), is the victim of a ransomware attack by the DarkBit hacker group, which has demanded an 80-Bitcoin payout (around $1.7 million at press time) in a ransom note laden with anti-Israel sentiments.
The university reported the attack on Feb. 12, a day after the threat actor compiled the payload, according to a
report from BlackBerry
.
That might suggest DarkBit maintained the initial access to the victims network sometime before that, while the implant was compiled a few hours before the attack materialized, says Dmitry Bestuzhev, a threat researcher at BlackBerry.
BlackBit also warned IIT that if the organization did not pay the ransom within 48 hours, the amount would jump 30%.
The extent of the damage, the origin of the breach, and the initial infection vector have not been publicly released.
The Golang-based ransomware possesses several notable features, such as the ability to accept command-line arguments and function independently. Its default mode involves encrypting the victims device by utilizing AES-256, impacting numerous file types. Additionally, it employs the method of multithreading to ensure quicker and more effective encryption.
Bestuzhev tells Dark Reading that based on the ransom note, and threat actors Twitter account and Telegram profile, the main motivator for the attack is geopolitical rather than financial.
An additional motivator — revenge — was indicated through a DarkBit tweet and the text of the ransom note, which alludes to the possibility that a vengeful former tech employee may be leveraging insider knowledge of tooling and software to carry out the attacks.
A kindly advice to the hight-tech [sic] companies: From now on, be more careful when you decide to fire your employees, specially [sic] the geek ones. #DarkBit, the tweet stated.
While the statement could be a red herring, its worth noting that insider threats — for example an angry employee who has been fired, or a disgruntled worker trying to cause some damage to the enterprise — are a
growing concern
for security professionals.
The commentary on Telegram, Twitter, and the DarkBit website also displays
hacktivist motivations
against Israel.
Bestuzhev says that targeting a university creates noise, and since geopolitics is the agenda, the goal is to spread the message.
With many students and associates who cant study and work, it serves as a message amplifier, he says. From the attackers perspective, its a great target to reach as many people as possible.
Melissa Bischoping, director of endpoint security research at Tanium, agrees this attack touches on multiple motivations — political hacktivism, revenge, and financial gain.
Whoever is behind DarkBit has included comments in their ransom notes about their stances on political regimes as well as comments regarding layoffs and terminations of technical employees, she says. It remains to be seen if this is an entirely new group or an offshoot of a previous gang.
She points out that ransomware is increasingly
used as a weapon in geopolitics
, because it can be easily purchased and deployed, and it can deliver high-impact destruction quickly.
Ransomware operators are not concerned with remaining undetected, Bischoping says. In fact, its quite the opposite — they want to send a message, cause damage, and get paid.
She explains that universities can be popular targets because they often have understaffed IT departments and many endpoints to manage and secure, leaving multiple openings for a compromise.
It wasnt a random attack, as DarkBits social media as well as their ransom note indicate clear political stances and motives against the Israeli government and its associated organizations, she adds.
Darren Guccione, CEO and co-founder at Keeper Security, says its inadvisable to assume a threat actor’s only motivations behind a ransomware attack, or any other type of malware offensive, are the ones that seem obvious or are spelled out by the threat actors themselves.
While ransomware is typically used to get paid, it could also be nothing more than a smoke screen or bonus payday as the threat actors work to compromise a target’s system or IT infrastructure in other ways, he says.
No matter the threat actor’s apparent or true motivations behind this attack, a full investigation must be done to evaluate the scope of the cyberattack and remediate the damage, Guccione says.
As with all ransomware attacks, he advises against paying the ransom to deter future attacks of a similar nature.
Organizations should also consider implementing a zero-trust, zero-knowledge architecture to mitigate the damage of any future cyberattack, Guccione says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Israels Top Tech University Targeted by DarkBit Ransomware