On Monday, the extortion group known as TheDarkOverlord released the first eight episodes of ABC’s soon-to-be-aired television show “Steve Harvey’s Funderdome” on the torrent site The Pirate Bay.
The leak of the ABC show follows a similar failed extortion attempt and subsequent leak of the first ten episodes of Netflix’s upcoming season of “Orange is the New Black” on April 28. At the time of the Netflix leak, TheDarkOverlord claimed to have stolen hundreds of gigabytes of unreleased and non-public media from a studio — including a total of 37 different film and TV titles. That leak was then tied to Larson Studios, an award-winning audio post-production studio in Hollywood.
As a result, Monday’s leak was likely not a surprise to ABC. TheDarkOverlord has been tweeting about the theft since late April and TheNew York Times reported that the FBI began notifying the affected companies of the theft a month before that.
Who is TheDarkOverlord?
There isn’t much known about TheDarkOverlord as the group is very careful about exposing information that could relate to its members’ identities. This actor is smart and calculated but also has become bolder and more arrogant as evidenced in communication with recent victims — as well as very recently even setting up a help desk like hotline.
“Time to play another round,” the group wrote in a Pastebin post announcing the leak on Monday. “We’re following through on our threats as we always do. We firmly believe that honesty and determination are the two most important factors of any business.”
The tone used by the group — both dismay that the “business” arrangement didn’t work out and a veiled threat to future victims — has become more prominent since TheDarkOverlord first began targeting healthcare organizations in June 2016.
Communication with TheDarkOverlord has shown that there is likely more than one member of the group; however, the language utilized on the group’s accounts suggests that a single member is responsible for the managing the Twitter promotions as it has a common syntax. Generally, healthcare organizations (the group’s primary targets) are under-secured and TheDarkOverlord is taking full advantage.
How TheDarkOverlord Attacks Organizations
TheDarkOverlord favors exploits that allow remote desktop control of a network. The group has also taken data acquired by other actors and exploited the clients found in these breached databases. This shows that TheDarkOverlord is not only proactive with its own targeting, but also opportunistic with regards to the sensitive data of any organization that the group comes across and can and take advantage of — as evidenced by the recent pivot from targeting healthcare organizations to those in the entertainment industry.
In regards to the targeting of entertainment brands, TheDarkOverlord discovered what may have been a softer target in the form of the post-production company Larson Studios, which is part of several major entertainment brands’ supply chain. TheDarkOverlord claims that it was able to exfiltrate numerous unreleased (still under production) media to use as leverage, although the group has only leaked two shows thus far.
As TheDarkOverlord moves from entertainment brand to entertainment brand with its extortion efforts, the actor is learning what impacted brands are willing to pay (if anything), and the group is then releasing the media publicly in order to harm the targeted brand financially for not giving into demands. “Orange is the New Black” was leaked a full six weeks before its June 9 premiere data, and “Steve Harvey’s Funderdome” was leaked six days before its June 11 premiere. Targeted brands are likely following the impact of releasing the unaired shows very closely.
Furthermore, TheDarkOverlord has a unique relationship with the media. By garnering media attention, the group builds its reputation and applies pressure to the organizations it wishes to extort. There have been reports that TheDarkOverlord first contacts its exploited entity and demands a ransom. Once the entity refuses, the actor then lists the heathcare database on TheRealDeal Marketplace or releases entertainment media publicly and alerts the media to its presence.
Past activity has shown a slight shift in tactics as TheDarkOverlord has breached an organization and followed that up by sending the victim, along with particular media figures who request it, a sample of the data. By involving security reporters and bloggers, TheDarkOverlord lends credibility to its work while causing panic in consumers who might be associated with the breach. Consumers’ dissatisfaction will also add pressure to the extorted entities to provide ransom payment to the actor for the stolen data.