2017 Cyber Forecast: Blackmail Using Media and Sensitive Data Will Grow

The end of the year is drawing nearer, and with that comes a handful of traditions: family gatherings, eggnog by the fire, and everyone’s annual list of cybersecurity “predictions.” While it’s a bit semantic, I’m personally not a big fan of the term “predictions.” As someone who lives in the intel world, it’s more about looking at the data and making forecasts using probabilities. In all of the cyber threat intelligence that we provide our customers, we include a confidence level based on what we’re seeing and the probability of that threat impacting a specific customer.

I start out with the above just to level set the rest of this blog (and the next several blogs around 2017 cyber forecasts). When it comes to identifying trends and making a forecast on probability of what threats make waves in 2017, based on the success of ransomware attacks I have moderate confidence that we will see growth of more traditional extortion-related cybercrime.

SurfWatch Labs has seen a steady growth in the number of targets publicly associated with extortion, blackmail and ransoms over the past few years, and we expect that number to rise even higher in the coming year.

2016-12-08_extortion
Extortion-related crimes are on the rise (note: 2H 2016 data includes intelligence collected through December 7).

One of the best and most recent examples of malicious actors using extortion is the hacking group known as TheDarkOverlord, which has breached, attempted to extort and then publicly shamed a variety of organizations over the second half of 2016.

The latest incident is the November breach of Gorilla Glue. TheDarkOverlord claimed to have stolen more than 500 GB of data, including research and development material, intellectual property, invoices and more. The group then offered Gorilla glue its signature “business proposition.” As we wrote in a SurfWatch Labs blog earlier this year, the proposition is simple: pay the blackmail or face further data leaks and public shaming. After what TheDarkOverlord described as “a moderate dispute” with Gorilla Glue over payment — we’re guessing Gorilla Glue refused to pay — TheDarkOverlord shared a 200 MB cache of files with the media to help spread the story.

The evolving use of the media is actually one of the more interesting tactics used by TheDarkOverlord and other successful extortion groups this past year. Extortionists have referenced news coverage in their demands, prompted users to research past victims, and impersonated cybercriminals with established media coverage — all in an effort to lend credibility to their threats.

For example, back in April CloudFlare reported that a group using the “Armada Collective” name was blackmailing businesses with an extortion email that read, in part:

We are Armada Collective.

http://lmgtfy.com/?q=Armada+Collective

Your network will be DDoS-ed starting [date] if you don’t pay protection fee – 10 Bitcoins @ [Bitcoin Address].

If you don’t pay by [date], attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.

This is not a joke.

The link in the email led to a Google search of the group, allowing victims to quickly see that some security researchers had described Armada Collective as a “credible threat.” Except the attackers were not part the original Armada Collective. They were copycats simply exploiting the original group’s already established name. As CloudFlare later discovered, there was not “a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack.” Despite the lack of follow through, the group managed to extort hundreds of thousands of dollars from the victims.

Leveraging the media in that manner is something the SurfWatch analyst team has observed more frequently over the past year. However, news outlets and victims are starting to become more skeptical of claims. That’s one of the reasons threat actors such as TheDarkOverlord have evolved their tactics to establish a more direct and somewhat dysfunctional “relationship” with the media. Bloggers and news outlets get access to a direct source of stolen data that can help help generate headlines. Extortion groups receive the platform necessary to incite worry in the partners and consumers of the victim organization, adding pressure to pay extortion demands.

With cybercrime events seeing more mainstream coverage each year and extortion proven to be a successful, low-effort tactic, expect that dysfunctional relationship to continue to develop in the coming year. Extortion has proven particularly useful when it comes to the theft of sensitive customer data as it provides multiple additional ways for a threat actor to monetize information. If the victim organization doesn’t provide immediate compensation via an extortion payment, individual customers may then become targets of blackmail — sometimes years into the future.

Adultery site Ashley Madison announced its data breach in the summer of 2015, but individuals exposed in that breach were still being sent blackmail letters and emails nearly a year later. Some victims reported that when they didn’t pay, the blackmailers then followed through on their threats by sending letters about the individuals’ alleged infidelity to family, friends, and workplaces.

More recently, hackers stole customer information from Valartis Bank Liechtenstein and were reportedly threatening individual customers — including politicians, actors and high net worth individuals — that their personal information will be leaked if they do not pay 10 percent of their account balances in ransom.

These extortion and blackmail attempts are not nearly as prevalent as ransomware, but they follow the same principle of quick and easy monetization via the victims themselves. The past year has proven that the media can be successfully used as a tactic to better extort both organizations and individuals, particularly when it comes to sensitive information that may lead to brand damage or embarrassment. That trend will likely grow in 2017 as threat actors look to take advantage of every avenue when attempting to monetize future data breaches.

Stolen Data, Extortion and the Media: A Look at TheDarkOverlord

After making headlines by targeting a number of healthcare organizations over the summer, the cybercriminal actor known as TheDarkOverlord re-emerged last week with a new victim: California investment bank WestPark Capital.

As we noted in last week’s cyber risk roundup, the leak of documents from WestPark Capital is the first time SurfWatch threat analysts have observed TheDarkOverlord targeting the financials sector. The approximately 20 documents leaked so far — several of which have been confirmed to be legitimate by various news sources — include items such as non-disclosure agreements, meeting agendas, contracts and more.

“WestPark Capital is a ‘full service investment banking and securities brokerage firm’ whose CEO, Richard Rappaport, spat in our face after making our signature and quite frankly, handsome, business proposal and so our hand has been forced,” TheDarkOverlord wrote on Pastebin.

TheDarkOverlord ended its post by reiterating a simple message to current and future victims: “pay up.”

TheDarkOverlord’s Signature “Business Proposal”

Like previous attacks from TheDarkOverlord, it appears that the actor first tried to quietly extort the victim company with stolen data, and like previous victims, WestPark Capital refused to pay the ransom. As a result of non-payment, TheDarkOverlord published a portion of the stolen data. This publication may serve several purposes for TheDarkOverlord. First, it generates media attention around the breach that can be used to pressure WestPark Capital into paying the ransom before more damage is done. Second, and perhaps more importantly, it helps establish TheDarkOverlord as a credible threat when it comes time to extort the next victim.

This tactic was noted by SurfWatch threat analysts back in July, when TheDarkOverlord’s targeting of healthcare organizations pushed the actor into the spotlight.

healthcare_database_cropped
TheDarkOverlord posted several stolen healthcare databases for sale on TheRealDeal Market this summer. The largest set of data was listed at 750 bitcoin, or nearly half a million dollars.

“There is suspicion that TheDarkOverlord is using the media to apply pressure to breached organizations to pay the actor’s extortion threats,” SurfWatch Labs wrote in a customer alert. “It is a plausible scenario that the actor’s true monetary motivation is to receive payment from breached organizations rather than sell the data openly on the Dark Web, especially at the high price the actor has set, which insinuates that the advertisements are primarily meant as a marketing tool.”  

TheDarkOverlord has been particularly adept at generating media attention through a combination of high initial prices on the stolen data, leaking portions of that data, and being available to various news outlets in order to push the actor’s extortion agenda.

For example, one of the first databases the group put up for sale belonged to a healthcare organization in Farmington, Missouri. Several days later, after several news stories had identified the name of that organization as Midwest Orthopedic Clinton, TheDarkOverlord took to publicly shaming the victim.

thedarkoverlord
A healthcare database posted for sale on TheRealDeal Market by TheDarkOverlord.

“[Owner] Scott a. Vanness should have just paid up to prevent this leak from happening,” TheDarkOverlord told The Bitcoin News. “He can still salvage the rest of the records and save himself from other things that we have made him aware of.” When asked if there would be more data leaked from other companies, the contact wrote back, “If they do not pay yes.”

That message is similar to statements made recently towards WestPark Capital — essentially, pay the extortion or face further leaks and public shaming.

It’s unclear if any previous organizations have paid ransom demands to TheDarkOverlord, but the actor’s statements often appear aimed at addressing future victims.

For example, TheDarkOverlord warned companies in June via DeepDotWeb, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” In addition, TheDarkOverlord told Motherboard that the ransom would be “a modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims.”

Who is the TheDarkOverlord?

TheDarkOverlord portrays itself as a group of hackers — frequently using “we” and “us” in its latest posting; however, TheDarkOverlord has on occasion implied that one person was behind the decision making, as the Motherboard quote above indicates. It’s unclear if TheDarkOverlord is a group of actors or if the language is just another attempt to build up TheDarkOverlord brand as a wide-reaching cyber threat. 

thedarkoverlordpastebin
From TheDarkOverlord’s recent Pastebin post on WestPark Capital.

TheDarkOverlord did say that other hackers recently exploited the group’s name in a data breach at St. Francis Health System.

This isn’t surprising as copycat actors often use already-established cybercriminal names. For example, earlier this year a string of attacks used the Armada Collective’s name to successfully extort companies with the threat of DDoS attacks. Actors looking to extort companies can leverage the well-known TheDarkOverlord name to make the threat appear more credible.

thedarkoverlordnote
Statement from alleged copycat actors, as shown on databreaches.net.

“Although we applaud the individuals for their successful breach (despite how boring SQL injection and the acquisition of non-PII data is) and clever act of pinning this against us, we do not appreciate the unauthorised use of our name,” TheDarkOverlord wrote. “Unlike some laughable and inadequate actors, we are not an ‘idea’ or a ‘collective’ and as such, one shouldn’t operate under our name in order to uphold one simple and easy to follow concept: Honour Among Thieves.”

TheDarkOverlord does have an interesting approach to extorting companies. Unlike the former Armada Collective’s DDoS attacks or the ongoing surge of ransomware attacks — which actually disrupts service and prevents customers or employees from accessing resources — TheDarkOverlord has relied on a more traditional blackmail approach of causing damage via stolen and leaked data.

At the moment it is unclear how successful that approach is when compared to more disruptive attacks, but if the group and its copycats continue to leverage this approach, one can assume that it must be a profitable avenue of attack.