Notable Ransomware Attacks in Israel
Ransomware attacks can target any organization—large or small, public or private. Below are notable real-world incidents in Israel that highlight the disruptive impact of ransomware, the response strategies employed, and the critical role of strong cybersecurity measures.
1
Hillel Yaffe Medical Center (October 2021)
Date & Context
In October 2021, Israel witnessed one of its most severe healthcare-sector ransomware incidents at Hillel Yaffe Medical Center in Hadera. Healthcare infrastructure worldwide has increasingly become a target for cybercriminals due to the sensitive, life-critical data it handles.
Victim
Hillel Yaffe is a major hospital serving a large regional population. Any disruption to its systems can directly impact patient care, making it especially vulnerable to severe outcomes in a cyberattack scenario.
Attack & Intrusion
Without warning, attackers encrypted the hospital’s servers, rendering essential digital tools and records inaccessible. Although a ransom demand was issued, no exact figure was publicly confirmed.
Business/Operational Impact
The immediate fallout was severe: non-urgent treatments and surgeries had to be canceled, while staff relied on manual record-keeping. Financial damages—including IT rebuilding, lost revenue, and emergency staffing—eventually reached around ₪36 million (~$11M). Even more critical, patient safety was at risk during the downtime.
Ransom Demand
While a demand was made, hospital officials chose not to engage or negotiate. They maintained a strict policy of non-payment, aligning with broader governmental guidance intended to deter future attacks on critical infrastructure.
Response
Together with Israel’s National Cyber Directorate and the Health Ministry, Hillel Yaffe focused on containment and recovery through backup systems and manual workflows. Although the restoration process was lengthy and costly, the hospital successfully rebuilt its IT infrastructure without paying a ransom.
Lessons Learned
This attack exemplifies how ransomware in healthcare can jeopardize patient care as much as it impacts financial stability. Having reliable backups, clear incident-response plans, and a willingness to endure a longer recovery proved essential. By refusing to pay, the hospital upheld a principle aimed at dissuading further attacks on critical sectors.
2
Tower Semiconductor (September 2020)
Date & Context
September 2020 saw a global uptick in ransomware incidents, and Tower Semiconductor—one of Israel’s largest chip manufacturers—became a notable victim. With around 5,000 employees, the company was well-established in advanced manufacturing and served international clients in the tech sector.
Victim
Tower Semiconductor specializes in manufacturing integrated circuits for customers worldwide, making it a critical supplier in various electronics markets.
Attack & Intrusion
Hackers gained unauthorized access to Tower’s network and deployed ransomware that effectively paralyzed critical production systems. The exact method of intrusion was not publicly disclosed, though the event aligned with a global surge in ransomware aimed at high-value targets.
Business/Operational Impact
Production lines were halted, leading to immediate financial losses and potential scheduling setbacks for clients. Experts in the semiconductor field noted that any unplanned downtime can cost millions of dollars daily, highlighting the high-stakes nature of manufacturing disruptions.
Ransom Demand
The attackers demanded what insiders described as “hundreds of thousands” of dollars in ransom. Although the full details were not made public, Tower reportedly chose to pay to expedite system decryption and resume production.
Response
In addition to promptly informing regulators, Tower took systems offline as a precaution, limiting further spread. Its cyber insurance policy ultimately covered the ransom costs, allowing a swift move toward restoration. Production resumed soon after the decryptor was received, minimizing the overall downtime.
Lessons Learned
Tower’s experience underscores that even large industrial companies with robust technology infrastructures remain vulnerable to ransomware. The cost of downtime in a manufacturing environment is often so severe that some organizations feel compelled to pay. While insurance can mitigate financial damage, relying on ransom payments alone is a high-risk strategy; stronger cyber defenses and offline backups remain crucial for long-term resilience.
3
Sapiens (Mid-2020)
Date & Context
In the early months of the COVID-19 pandemic, many companies rapidly transitioned to remote work. This shift presented new security gaps that ransomware groups were eager to exploit. Sapiens International, a prominent Israeli software firm, found itself targeted during this turbulent period.
Victim
Sapiens, employing around 2,500 people worldwide, specializes in insurance technology solutions. Its platforms and services underpin key operational functions for various insurance providers.
Attack & Intrusion
Hackers capitalized on vulnerabilities introduced by remote work—possibly through phishing or improperly secured remote access points. They infiltrated Sapiens’ network and threatened to completely lock the company’s systems if their ransom demands were not met.
Business/Operational Impact
With critical client services at stake, Sapiens faced a dire threat that could have crippled the business had it escalated further. Fears of a full system shutdown prompted urgent risk analysis, as the company’s day-to-day activities and client relations hung in the balance.
Ransom Demand
The attackers demanded payment in Bitcoin, initially setting the ransom at around $250,000. Confronted with the possibility of catastrophic downtime, Sapiens opted to pay the ransom to regain system control quickly.
Response
Although operations were restored relatively smoothly, the choice to pay raised ethical and strategic concerns. The event was not reported to U.S. or Israeli stock exchange authorities at the time, indicating a desire for discreet damage control. This approach led to immediate containment but underscored how paying ransom can embolden criminals in the long run.
Lessons Learned
Sapiens’ ordeal highlights security blind spots during large-scale remote work transitions and underscores how hackers exploit organizational changes. While paying a ransom may provide a rapid short-term solution, it can also encourage further attacks. Investing in robust cybersecurity practices—especially for remote setups—is often more cost-effective and ethically sound than relying on a ransom payout.
4
Cyberserve (Black Shadow Attack – October 2021)
Date & Context
In late 2021, an Iran-linked group known as Black Shadow carried out an attack on Cyberserve, an Israeli web hosting provider. The incident highlighted not only financial motives but also potential political or ideological undertones.
Victim
Cyberserve hosted data for various clients, including an LGBTQ dating site (Atraf), bus companies (Dan and Kavim), a travel agency, and more. A breach in its systems thus exposed multiple organizations simultaneously.
Attack & Intrusion
Hackers stole and encrypted databases, claiming they had “damaged” the servers. Sensitive personal data, including the HIV status of some users, was accessed. This multi-tenant compromise sent shockwaves through Cyberserve’s client base, affecting hundreds of thousands of individuals.
Business/Operational Impact
The breach culminated in one of Israel’s most significant privacy violations, with stolen data gradually leaked online. Public trust eroded, especially for those unaware their information was stored in Cyberserve’s infrastructure. Cyberserve itself faced a major operational and reputational crisis as its website went offline.
Ransom Demand
The attackers demanded $1 million in exchange for not leaking the data. However, neither Cyberserve nor government agencies paid the ransom. Negotiations proved futile, and the hackers publicly dumped the stolen information after a short deadline.
Response
In the wake of the leaks, Israeli authorities pivoted to damage control—advising users on password changes and alerting them to potential identity fraud. Cyberserve’s operations were effectively halted, while law enforcement pursued the perpetrators (suspected to be beyond Israel’s jurisdiction).
Lessons Learned
The Cyberserve attack illustrates the single point of failure risk when a third-party provider manages critical data for multiple organizations. Paying a ransom doesn’t guarantee privacy, particularly when attackers have political or ideological motives. Thoroughly vetting external vendors’ security measures and having solid incident-response protocols are paramount.