Moses Staff targets Israeli entities with ransomless encryption attack

Moses Staff hacker group launched the destructive malware attacks against political organizations in Israel

Moses Staff group targeted companies in Israeli with encryption malware

Various firms in Israel were targeted by the attacker group that released encryption malware but payment was not demanded.^[1] Moses Staff hacker gang claimed to be responsible for the attacks against Israeli companies. Attacks seem to be politically motivated because ransom payments were not delivered.^[2] These damaging attacks were caused in the past couple of months when the attackers managed to infiltrate the networks and affect the machines with encryption processes.^[3] The group also stole information and leaked copies of the data to the public.

The encryption malware caused damage to files on the networks, but the random demand that is common for the crypto extortion-based file-locking malware was not demanded. It shows that the threat actors aimed to disrupt operations and damage the targeted devices, expose the secrets from corporate networks, and private or sensitive information. The stolen data was breached using Twitter accounts, Telegram channels, data leak sites. At least 16 victims had their sensitive information breached.

Politically-motivated hacker group

The threat actors were named Moses Staff by the hackers themselves. These links to the wave of attacks against Israeli organizations date to the start of September 2021. It seems that the main goal of the jackets is to leak sensitive information and encrypt the networks to cause issues with the machines.

However, the group is not allowing victims to restore those machines back to a normal state and to restore pieces because the ransom payment, commonly demanded in exchange for a file recovery tool, was not demanded. Researchers^[4] state that the attackers do not care for financial gain other than to fight the resistance and expose crimes of organizations:

The group openly states that their motivation in attacking Israeli companies is to cause damage by leaking the stolen sensitive data and encrypting the victim's networks, with no ransom demand.

The detailed report from Check Point showed that the group used the publicly available flaws that helped to exploit the networks. Vulnerable Microsoft Exchange servers that have been exploited for months got used because many of them remained unpatched for a while.^[5]

Encryption malware without payment demand with a goal of the data breach

Once the system was accessed by exploiting those known flaws, threat actors used the custom backdoors and the additional threat – PyDCrypt malware- to run the open-source disk encryption tool DiskCryptor. This is how devices got locked. Researchers stated that the encryption is pretty weak and can be restored since the attacker used the symmetric key generation method.

The group was not focused on encryption, and they haven't put much effort into this procedure. The main aim of the hacker group is to cause havoc in the system and trigger panic, disrupt operations. The encryption process resulting in an irrecoverable state of the network was not the main thing they cared about.

Publicizing the stolen data started a few days back, and Twitter, telegram platforms, as well as the group-controlled website published claims about the targets. Thirty-four terabytes of documents and other stolen data got posted on the page too to “expose the crimes of the Zionists in occupied Palestine.”