Cybersecurity firm Cyble has uncovered a new politically motivated group, BlackMagic, which is allegedly linked to Iran and is targeting companies in Israel.
According to Cyble analysts, the ransomware group uses a double ransomware method - first extracting the victim's files and then encrypting them. BlackMagic has more than 10 victim companies on its account, all of them from Israel but of Iranian origin.
It is noteworthy that the ransom note does not contain information about the ransom itself. Instead, hackers indicate their social networks used to disclose the victim's data. This means that the ransomware group is interested in selling the stolen data and not in getting a ransom from their victims.
BlackMagic claims to have stolen 50GB of data from transport companies in Israel, as well as the sensitive data of more than 65% of the country's citizens. According to the researchers, the hackers are selling stolen data on several cybercrime forums. The attackers also deface the victim’s website.
“Destroying logistics companies and preventing packages from being sent,” BlackMagic said in a darknet statement.
Also in the process of encrypting data, attackers place a ransom note in all folders of the target system, and then add the ".BlackMagic" extension to the files.
After that, the hackers create a BAT file on the C drive, which removes all traces after the data is encrypted. The BAT file also replaces the desktop background of the compromised device with an image that is likely the BlackMagic logo. The picture contains the logos of previous victims of the group.
Based on the activities of BlackMagic, experts suspect that the hackers are politically motivated, but it is unclear how they will develop in the future.
Comments 0