Stolen Data, Extortion and the Media: A Look at TheDarkOverlord

After making headlines by targeting a number of healthcare organizations over the summer, the cybercriminal actor known as TheDarkOverlord re-emerged last week with a new victim: California investment bank WestPark Capital.

As we noted in last week’s cyber risk roundup, the leak of documents from WestPark Capital is the first time SurfWatch threat analysts have observed TheDarkOverlord targeting the financials sector. The approximately 20 documents leaked so far — several of which have been confirmed to be legitimate by various news sources — include items such as non-disclosure agreements, meeting agendas, contracts and more.

“WestPark Capital is a ‘full service investment banking and securities brokerage firm’ whose CEO, Richard Rappaport, spat in our face after making our signature and quite frankly, handsome, business proposal and so our hand has been forced,” TheDarkOverlord wrote on Pastebin.

TheDarkOverlord ended its post by reiterating a simple message to current and future victims: “pay up.”

TheDarkOverlord’s Signature “Business Proposal”

Like previous attacks from TheDarkOverlord, it appears that the actor first tried to quietly extort the victim company with stolen data, and like previous victims, WestPark Capital refused to pay the ransom. As a result of non-payment, TheDarkOverlord published a portion of the stolen data. This publication may serve several purposes for TheDarkOverlord. First, it generates media attention around the breach that can be used to pressure WestPark Capital into paying the ransom before more damage is done. Second, and perhaps more importantly, it helps establish TheDarkOverlord as a credible threat when it comes time to extort the next victim.

This tactic was noted by SurfWatch threat analysts back in July, when TheDarkOverlord’s targeting of healthcare organizations pushed the actor into the spotlight.

“There is suspicion that TheDarkOverlord is using the media to apply pressure to breached organizations to pay the actor’s extortion threats,” SurfWatch Labs wrote in a customer alert. “It is a plausible scenario that the actor’s true monetary motivation is to receive payment from breached organizations rather than sell the data openly on the Dark Web, especially at the high price the actor has set, which insinuates that the advertisements are primarily meant as a marketing tool.”  

TheDarkOverlord has been particularly adept at generating media attention through a combination of high initial prices on the stolen data, leaking portions of that data, and being available to various news outlets in order to push the actor’s extortion agenda.

For example, one of the first databases the group put up for sale belonged to a healthcare organization in Farmington, Missouri. Several days later, after several news stories had identified the name of that organization as Midwest Orthopedic Clinton, TheDarkOverlord took to publicly shaming the victim.

“[Owner] Scott a. Vanness should have just paid up to prevent this leak from happening,” TheDarkOverlord told The Bitcoin News. “He can still salvage the rest of the records and save himself from other things that we have made him aware of.” When asked if there would be more data leaked from other companies, the contact wrote back, “If they do not pay yes.”

That message is similar to statements made recently towards WestPark Capital — essentially, pay the extortion or face further leaks and public shaming.

It’s unclear if any previous organizations have paid ransom demands to TheDarkOverlord, but the actor’s statements often appear aimed at addressing future victims.

For example, TheDarkOverlord warned companies in June via DeepDotWeb, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” In addition, TheDarkOverlord told Motherboard that the ransom would be “a modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims.”

Who is the TheDarkOverlord?

TheDarkOverlord portrays itself as a group of hackers — frequently using “we” and “us” in its latest posting; however, TheDarkOverlord has on occasion implied that one person was behind the decision making, as the Motherboard quote above indicates. It’s unclear if TheDarkOverlord is a group of actors or if the language is just another attempt to build up TheDarkOverlord brand as a wide-reaching cyber threat. 

TheDarkOverlord did say that other hackers recently exploited the group’s name in a data breach at St. Francis Health System.

This isn’t surprising as copycat actors often use already-established cybercriminal names. For example, earlier this year a string of attacks used the Armada Collective’s name to successfully extort companies with the threat of DDoS attacks. Actors looking to extort companies can leverage the well-known TheDarkOverlord name to make the threat appear more credible.

“Although we applaud the individuals for their successful breach (despite how boring SQL injection and the acquisition of non-PII data is) and clever act of pinning this against us, we do not appreciate the unauthorised use of our name,” TheDarkOverlord wrote. “Unlike some laughable and inadequate actors, we are not an ‘idea’ or a ‘collective’ and as such, one shouldn’t operate under our name in order to uphold one simple and easy to follow concept: Honour Among Thieves.”

TheDarkOverlord does have an interesting approach to extorting companies. Unlike the former Armada Collective’s DDoS attacks or the ongoing surge of ransomware attacks — which actually disrupts service and prevents customers or employees from accessing resources — TheDarkOverlord has relied on a more traditional blackmail approach of causing damage via stolen and leaked data.

At the moment it is unclear how successful that approach is when compared to more disruptive attacks, but if the group and its copycats continue to leverage this approach, one can assume that it must be a profitable avenue of attack.