A new ransomware group by the name of “DarkBit” has hit Technion – the Israel Institute of Technology, one of Israel’s leading research universities.

The ransom note released by DarkBit is littered with messages protesting the tech layoffs and promoting anti-Israel rhetoric, as well as the group demanding payment of $1.7 million.

The Technion Institute fights against a cyberattack

The Technion Institute of Technology, one of Israel’s leading public research universities, was hit by a cyberattack this week.

The Haifa-based academic institution is currently conducting incident response activities to determine the extent and cause of the incident.

“The Technion is the subject of a cyberattack. The scope and nature of the attack are under investigation,” the university said in a statement. statement published in Hebrew.

“To carry out the process of collecting and processing information, we use the best experts in the field, both within the Technion and outside, and we coordinate with the competent authorities. The Technion has blocked many proactively all communication networks at this point.”

A ransom note from the new ransomware group ‘DarkBit’ was left on the university’s systems, where the attackers demanded 80 bitcoins, approximately USD 1,745,200, to release the decryptor to the university.

The date displayed on the PC in the image above indicates that the attack occurred on or before February 12, 2023.

BleepingComputer also observed that at this point the Institute’s websites are inaccessible, likely after the university blocked all network access during the attack.

Although Technion’s cyber systems may be affected, university campus operations continue as normal.

“Tomorrow’s working day on campus will be business as usual, with the exception of postponed exams,” the Institute said.

“The guidelines issued in the morning regarding attendance at public activities due to a day off remain unchanged. We will continue to update when we have more information.”

Who is ‘DarkBit’ anyway?

A threatening actor, a disgruntled employee, a pro-Palestinian activist, or all of these?

The unknown “DarkBit” gang emerged this week and its whereabouts are not yet known. The attackers, however, drop some clues about their goals both in the ransom note and their Twitter and Telegram channels.

DarkBit’s stance against “racism, fascism, and apartheid” may cause their activities to be considered hacktivism at first glance, but the group’s motivations appear to be multiple.

From the use of the #HackForGood hashtag in its Twitter bio to the anti-Israel messages seen in the ransom note, as well as the group calling for tech layoffs, it’s hard to categorize DarkBit just yet.

While attacking Israel for being an “aparheid regime”, DarkBit attackers want to do them paying for “war crimes against humanity” and “firing highly qualified experts”.

“A benevolent advice to high-tech companies: from now on, be more careful when deciding to lay off your employees, especially geeks. [sic]“, said DarkBit in a subsequent tweet.

Depending on how one interprets the wording, the attack seems to be DarkBit’s way of getting revenge for the firings that may have involved its members.

Threat actors seem to imply that firing highly technical employees without performing due diligence could pose a threat to an organization’s security posture. Some terminated (and disgruntled) employees may have insider knowledge that allows them easier access to an organization’s computer networks even after termination.

“DarkBit went from hacktivist to ransomware group to disgruntled ex-employee in a single day,” comments cybersecurity analyst Dominic Alvieri.

The group threatened to impose a 30% penalty on top of an already large ransom demand if the university did not agree to pay. Additionally, the attackers warn that they will put all stolen data on sale after five days.

BleepingComputer continues to monitor the situation and we will post updates as development progresses.