Update: 7/23/2024 – 6:15 PM
We would like to highlight the URL of the statement published on Globes’ website regarding the ransomware attack.
https://en.globes.co.il/en/article-update-about-cyberattack-on-globes-1001484983
In the last few hours, the Medusa ransomware group has published, on its blog within the Tor networks, the name of the Israeli economic newspaper Globes (Monitin group) as one of its latest victims. Globes, based in Tel Aviv, was among the first business newspapers in Israel to publish its content online in 1995.
According to a note released by Globes, there are 45,000 people subscribed to the website
Each evening, Globes brings its unrivaled coverage of Israeli business to some 45,000 subscribers representing Israel’s elite in management, investment, technology, law, accounting, and marketing […]
We know that Medusa first exfiltrated a considerable amount of data from Globes servers, then the data was encrypted by the group’s affiliate. The ransom price demanded by cybercriminals to prevent the publication of all documents is 1 million dollars, the same price was set for their download.
We sent a series of 9 emails to some Globes employees asking for a statement on the matter prior to publication of this article. Of these, three were sent respectively to the Chairperson and CEO, to the chief editor and the last to human resources (HR), we know that at least two of these had the opportunity to open and read our email but at the moment we have not received any answer.
Screenshot and redaction by SuspectFile.com
We can say that among the documents exfiltrated from the Globes servers there are some that we could consider “important” given that they contain, in one case, a plaintext password dated November 2023 to access a database. While the “LicenseKeys_2023810.csv” file contains the Licensing ID, the name of the organization (Globes), the type of product [for example Windows Server (year), the versions of the Windows operating system used], the Product Key.
Screenshot and redaction by SuspectFile.com
In another file that we had the opportunity to analyze there are 165 email addresses of Globes employees. The Excel file “mails-globes-2FA.xlsx” also reports
- Names and surnames of employees
- Department of belonging
- Phone numbers
for each email address it is also indicated whether 2FA (Two-Factor Authentication) has been activated or not. The surprising thing is that this additional protection is only active on 45 accounts, just over 25% of the total. It surprises us that among those where 2FA is not active there is that of the Chairperson and CEO Globes.
Screenshot and redaction by SuspectFile.com
To date, we have not read any statements on the website released by Globes explaining to its subscribers and readers about the theft of data after the cyber attack on the IT structures of the online newspaper. We are not aware, at the moment, whether among the data exfiltrated by the Medusa ransomware group there is also data attributable to private citizens.
We will monitor the situation and update the article in case of new details.