Israel targeted by suspected Iranian threat actor


A new ransomware group that is apparently motivated more by politics than profit has been spotted in the wild by cyber defense company Cyble. Calling itself BlackMagic, it is believed to be linked to Iran and primarily going after companies in Israel.

The group appears to be opting for the double extortion tactic, stealing the victim organization’s vital data as well as rendering it beyond the owner’s use by encrypting it.

ADVERTISEMENT

“During a routine threat-hunting exercise, Cyble came across a new group named BlackMagic,” said the analyst. “This ransomware group uses a double-extortion technique to target its victims, in which it first exfiltrates the victim’s data, followed by encryption.”

Cyble adds that BlackMagic has named more than 10 victims so far, all of them from Israel, and suspects it is Iranian in origin.

Intriguingly, ransom notes left by the gang include no details for cryptocurrency payments, instead pointing the recipient towards social media channels used to expose the victim’s data.

“This indicates that the ransomware group is interested in selling the exfiltrated data rather than demanding money from its victims,” said Cyble.

Screenshot of calling card left by BlackMagic ransomware group
Digital 'calling card' left by BlackMagic in victim computer's folder

Bragging rights?

BlackMagic says it has stolen 50GB of data from transport companies based in Israel, and makes the rather more extravagant claim of having leaked sensitive data of nearly two-thirds of the country’s citizens.

“The threat actors behind this group are using multiple cybercrime forums to sell the data obtained from these attacks,” said Cyble. “They also claimed that these attacks include sensitive data of over 65% of Israeli citizens.”

ADVERTISEMENT

“Destruction of logistics companies and prevent [sic] parcels from being sent,” declares another statement from BlackMagic viewed by Cyble on the dark web.

Other tactics pursued by the apparently partisan group include defacing victim company websites to say things like “hacked by BlackMagic.”

Likewise, during the data encryption process, the gang puts a ransom note named “HackedByBlackMagic.txt” in all the target organization’s folders, before renaming the files by appending .BlackMagic to them.

The ransomware then creates a .bat file in the victim’s C-Drive, writing a sequence of commands into it which then deletes all traces of itself after encrypting the data. It also changes the target machine’s desktop background to display a colorful collage featuring an illustration that apparently passes for BlackMagic’s logo.

“Based on the activities of the BlackMagic ransomware group, we suspect them to be politically motivated, but it is unclear how they will evolve in the future,” Cyble added.

BlackMagic's desktop background installed on victim machines after attack
What passes for the threat group's logo and an apparent list of previous victims is posted on the latest target's computer desktop after data has been encrypted and exfiltrated