The group stated that if the money is sent, they will not disclose any data and will not sell it to anyone. The hackers have already published large collections of files containing the private information of customers and employees.
Black Shadow warned that if the money is not sent within 24 hours of 9 a.m. on Thursday morning, the ransom demand will rise to 100 bitcoin ($1,922,220). If another 24 hours pass, the demand will rise to 200 bitcoin ($3,847,680). "After that we will sell the data to the others," warned the hackers, adding that they will leak some more data at the end of every 24 hours.
Shortly after the message was published, the group published more files, including faxes and ID cards.Sources involved in the investigation told Channel 12 that an Israeli or someone in Israel may be involved in the cyberattack and that the attack seems to be from a private group and not a state.Shirbit hired a negotiations expert to conduct negotiations with the hackers after the ransom demand was made overnight.The company told Channel 12 that it was "puzzling" that the demand was made when the details of the attack were still unclear."Shirbit is working with teams of state and private cyber experts to return to full activity in the near future," said the company in a statement. "The company has a full backup that is not damaged, and the initial investigation shows that the information stolen will not cause damage to the company's customers. The company has acted to protect information resources in accordance with the directives of the authorities, and is also now fully coordinated with them."
The National Cyber Directorate and Capital Market Authority said on Tuesday that it was working with Shirbit to investigate the suspected attack and that an initial probe found that insurance details were also leaked.
Although the directorate only announced the attack on Tuesday morning, Black Shadow posted the first leaked documents on a Telegram channel at around 9 p.m. on Monday evening.
Shirbit reportedly has many government employees among its clients, including the president of the Tel Aviv District Court, Gilad Noitel.
In a Telegram message to KAN, the group stated that they had other targets that they would disclose later and that they conducted the attack "for money," without further clarification.
“The Shirbit insurance company places the safety and service of its customers at the top of its priorities and is ranked year after year among the top insurance companies in Israel in its fields of activity,” company CEO Zvi Leibushor said in response to the incident.
“Shirbit has invested millions of shekels in securing databases and protecting against cyberattacks, and meets all the stringent regulatory requirements in this area.”
Leibushor added that Shirbit is investing all resources and efforts needed for an “effective, safe and rapid solution to the cyberattack, whose real goal is to try to harm the Israeli economy.”
The attack comes amid a spike in ransomware attacks against insurance companies, with dozens of insurance companies in the US reporting such attacks in just the past week, according to the ransomware removal and cyber security service MonsterCloud.
The attackers in the US have made ransom demands between 100,000 to millions of dollars.
"Based on the recent attacks here in the US, the attacks are money-driven," MonsterCloud CEO Zohar Pinhasi told The Jerusalem Post. "And even if the victim has a backup, the attacker will blackmail the victim for the ransom to prevent data leak, which is huge when it comes to insurance companies."This is a new trend in the US. This type of attack is caused due to a lack of cyber security knowledge," he said, warning that "it seems the company has a long and turbulent road ahead."
Pinhasi added that it is unclear whether the same group is behind the attacks in the US, explaining that hacker groups tend to change their names often in order to protect themselves.