Weekly Cyber Risk Roundup: Million Dollar Extortion Payments and TheDarkOverlord Loses Credibility

Ransomware made headlines this past week due to several infections that disrupted business operations, as well as a million dollar extortion payment that was negotiated by South Korean web hosting firm Nayana after its servers were infected with Erebus Ransomware on June 10. Nayana said the payment was necessary to restore 150 servers and the 3,400 affected client websites, most of which were for small companies and startups.


The initial ransom demand was for 5 billion won ($4.4 million) in bitcoin, but the company managed to negotiate the payment down to 1.3 billion won ($1.1 million or 397.6 bitcoin). In a statement on the company’s website (Korean language) on Thursday, Nayana CEO Hwang Chilghong said he knows the company should not negotiate with hackers, but that the damage was too widespread and too many people would be harmed if the company did not pay the extortion.

WannaCry was also back in the news this week due to Honda Motor saying that plants in Japan, North America, Europe, China, and other regions were recently infected with the ransomware despite efforts to protect their networks following last month’s WannaCry outbreak. One location, a Sayama automobile plant located near Tokyo, was idled due to the infection. Authorities in Victoria, Australia also announced that 55 traffic and speed cameras were accidentally infected with WannaCry due to a maintenance worker using an infected USB stick. Local media reported that the police have decided to cancel 590 fines sent to road users caught by the WannaCry-infected cameras.

Other ransomware news includes Waverly Health Center in Iowa being infected with an unknown ransomware variant and having to shut down their IT systems for a period of time, and Proofpoint researchers saying that the ransomware infections recently reported at several UK universities were part of a larger malvertising campaign carried out by the AdGholas group that leveraged the Astrum Exploit Kit to spread Mole ransomware.


Other trending cybercrime events from the week include:

  • Massive voter database leaked: A database containing detailed information on 198 million U.S. voters and compiled by GOP political consultant Deep Root Analytics was left exposed to the Internet for 12 days. The information included data pulled from voter lists maintained by the RNC that was augmented by other sources such as social media sites. The leak includes data on some voters such as ethnicity, religion, contact information, and views on a variety of political issues. In addition, the data included proprietary information such as unique RNC identifiers for each voter.
  • POS breach discovered at The Buckle: The clothing store chain The Buckle announced that point-of-sale (POS) malware was discovered on some of its retail POS systems and that some payment cards used between October 28, 2016 and April 14, 2017 may have been affected. The Buckle believes that the malware did not collect data from all transactions or all POS systems for each day within that time period. The company also said that all stores had EMV technology enabled during the time that the incident occurred, which helped to limit the impact of the breach.
  • Services disrupted: The CyberTeam hacking group announced on Twitter that it was responsible for the outage that affected Skype on Monday and Tuesday. Microsoft has not confirmed the cause of the outage, but the service was reported down in multiple countries across Europe, as well as Japan, Singapore, India, Pakistan, and South Africa. Square Enix said that Final Fantasy XIV game servers were being repeatedly targeted by DDoS attacks from an anonymous third party.
  • More incidents tied to errors and glitches: The email addresses of registered consultancies of the UK government’s Cyber Essentials scheme were exposed due to a configuration error in the Pervade Software platform, according to the IASME Consortium, which runs the accreditation. The sensitive personal information of students was compromised when a staff member at the UK’s University of East Anglia “mistakenly” emailed a spreadsheet with confidential data to 320 American Studies students. A man used a glitch to steal more than £99,000 from the Clydesdale Yorkshire Bank last December when, for approximately one hour, the man’s account showed a credit balance even though he did not have any money.
  • Other notable incidents: Online banking service Ffrees notified its users that some of their personal information was “temporarily exposed” due to an “information security incident.” Virgin Media is advising more than 800,000 customers using the Super Hub 2 router to change both their network and router passwords if they are using the default passwords shown on the device’s attached sticker. Torrance Memorial Medical Center said a phishing attack compromised email accounts containing “work-related reports” and the personal data of patients. The latest batch of CIA documents released by WikiLeaks, dubbed “Brutal Kangaroo,” revolves around “a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.” A joint law enforcement action known as the eCommerce Action 2017 led to the arrest of 76 professional fraudsters and members of Internet-based criminal networks across 26 countries.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.



Cyber Risk Trends From the Past Week

2017-06-23_RiskScoresLarson Studios, the family-owned audio post-production business that was hacked by TheDarkOverlord, has finally provided public comments about the December 2016 attack that led to the theft of a variety of unaired episodes from major studios. That incident led to leak of ten episodes of Netflix’s Orange is the New Black and eight episodes of ABC’s Steve Harvey’s Funderdome.

The takeaway from company president Rick Larson following the ordeal: “Don’t trust hackers.”

He learned that lesson after Larson Studios eventually paid TheDarkOverlord a $50,000 ransom as part of an agreement between the two to keep the breach private. However, a few months later the FBI told Larson Studios that TheDarkOverlord was attempting to extort the company’s clients with the stolen video, and the group then tried to publicly pressure Netflix and others into paying a ransom demand.

Why TheDarkOverlord would attempt to double-dip on the group’s ransom demand is somewhat puzzling. As SurfWatch Labs has noted in multiple blogs, the group has spent the past year carefully projecting an image of professionalism, framing its extortion demands as straightforward “business proposals” and using the media to try to spread the group’s message: pay up and everything will quietly go away. For example, in June 2016 when the group first began making headlines, TheDarkOverlord used the media to warn companies, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” They also warned that the ransom payment would be “a modest amount compared to the damage that will be caused” from a public leak. The group’s tone did not change when it came to extorting Netflix nearly a year later: “You’re going to lose a lot more money in all of this than what our modest offer was.”

It appears that after a full year of trying to build that image as a “trustworthy” extortionist, TheDarkOverlord has now lost its credibility — and, it should be noted, that credibility is what pushed companies like Larson Studios over the edge when deciding if the company should pay. As Rick Larson told Variety, previous media reports suggested that paying TheDarkOverlord actually worked.

TheDarkOverlord appears to be in damage control now, and the group is trying to regain that credibility by arguing that Larson Studios violated its agreement by contacting the FBI. The group also continues to leak data on other organizations, but hopefully those organizations will take heed of the message from Rick Larson to never put their trust in hackers — and it’s clear that now includes TheDarkOverlord.

TheDarkOverlord Targets Entertainment Sector with Leak of Unaired ABC Show

On Monday, the extortion group known as TheDarkOverlord released the first eight episodes of ABC’s soon-to-be-aired television show “Steve Harvey’s Funderdome” on the torrent site The Pirate Bay.

The leak of the ABC show follows a similar failed extortion attempt and subsequent leak of the first ten episodes of Netflix’s upcoming season of “Orange is the New Black” on April 28. At the time of the Netflix leak, TheDarkOverlord claimed to have stolen hundreds of gigabytes of unreleased and non-public media from a studio — including a total of 37 different film and TV titles. That leak was then tied to Larson Studios, an award-winning audio post-production studio in Hollywood.


As a result, Monday’s leak was likely not a surprise to ABC. TheDarkOverlord has been tweeting about the theft since late April and The New York Times reported that the FBI began notifying the affected companies of the theft a month before that.

Who is TheDarkOverlord?

There isn’t much known about TheDarkOverlord as the group is very careful about exposing information that could relate to its members’ identities. This actor is smart and calculated but also has become bolder and more arrogant as evidenced in communication with recent victims — as well as very recently even setting up a help desk like hotline.

There have been dozens of targets publicly tied to data theft and extortion by TheDarkOverlord over the past year.

“Time to play another round,” the group wrote in a Pastebin post announcing the leak on Monday. “We’re following through on our threats as we always do. We firmly believe that honesty and determination are the two most important factors of any business.”

The tone used by the group — both dismay that the “business” arrangement didn’t work out and a veiled threat to future victims — has become more prominent since TheDarkOverlord first began targeting healthcare organizations in June 2016.

Communication with TheDarkOverlord has shown that there is likely more than one member of the group; however, the language utilized on the group’s accounts suggests that a single member is responsible for the managing the Twitter promotions as it has a common syntax. Generally, healthcare organizations (the group’s primary targets) are under-secured and TheDarkOverlord is taking full advantage.

How TheDarkOverlord Attacks Organizations

TheDarkOverlord favors exploits that allow remote desktop control of a network. The group has also taken data acquired by other actors and exploited the clients found in these breached databases. This shows that TheDarkOverlord is not only proactive with its own targeting, but also opportunistic with regards to the sensitive data of any organization that the group comes across and can and take advantage of — as evidenced by the recent pivot from targeting healthcare organizations to those in the entertainment industry.

TheDarkOverlord initially appeared to to focus on targeting healthcare organizations, but the group has since targeted a variety of other industry groups.

In regards to the targeting of entertainment brands, TheDarkOverlord discovered what may have been a softer target in the form of the post-production company Larson Studios, which is part of several major entertainment brands’ supply chain. TheDarkOverlord claims that it was able to exfiltrate numerous unreleased (still under production) media to use as leverage, although the group has only leaked two shows thus far.

As TheDarkOverlord moves from entertainment brand to entertainment brand with its extortion efforts, the actor is learning what impacted brands are willing to pay (if anything), and the group is then releasing the media publicly in order to harm the targeted brand financially for not giving into demands. “Orange is the New Black” was leaked a full six weeks before its June 9 premiere data, and “Steve Harvey’s Funderdome” was leaked six days before its June 11 premiere. Targeted brands are likely following the impact of releasing the unaired shows very closely.

Furthermore, TheDarkOverlord has a unique relationship with the media. By garnering media attention, the group builds its reputation and applies pressure to the organizations it wishes to extort. There have been reports that TheDarkOverlord first contacts its exploited entity and demands a ransom. Once the entity refuses, the actor then lists the heathcare database on TheRealDeal Marketplace or releases entertainment media publicly and alerts the media to its presence.

Past activity has shown a slight shift in tactics as TheDarkOverlord has breached an organization and followed that up by sending the victim, along with particular media figures who request it, a sample of the data. By involving security reporters and bloggers, TheDarkOverlord lends credibility to its work while causing panic in consumers who might be associated with the breach. Consumers’ dissatisfaction will also add pressure to the extorted entities to provide ransom payment to the actor for the stolen data.

Weekly Cyber Risk Roundup: TheDarkOverlord Returns and Multiple Attacks Circumvent 2FA

TheDarkOverlord was back in the news this week due to leaking data from multiple companies after failed extortion attempts. The most prominent leak involved Netflix, which had the first 10 episodes of the fifth season of its show Orange is the New Black leaked after it refused to cave to the actor’s ransom demands. The group also claims to have unreleased shows from ABC, Fox, National Geographic, and IFC. Media outlets reported that the shows appear to have been stolen from post-production studio Larson Studios in late 2016.


It’s unclear exactly how much TheDarkOverlord demanded from Netflix to not release the episodes, but the actor once again framed its response to the failed extortion attempt by trying to appeal to future victims, essentially arguing that paying up will cost them a lot less money than having their data released.

“It didn’t have to be this way, Netflix,” the actor wrote in a post on April 29. “We figured a pragmatic business such as yourselves would see and understand the benefits of cooperating with a reasonable and merciful entity like ourselves. … And to the [other networks]: there’s still time to save yourselves. Our offer(s) are still on the table — for now.”

TheDarkOverlord has not yet released episodes allegedly stolen from other networks. However, three healthcare providers had data dumped by the actor on May 4. Aesthetic Dentistry in New York City and OC Gastrocare in California were both hacked last year by TheDarkOverlord, databreaches.net reported, and their dumps from last week contained 3,496 patient records and 34,100 patient records, respectively. The third dump was the biggest, containing more than 142,000 patient records allegedly stolen from Tampa Bay Surgery Center.

That large dump appears to be tied to a previously undisclosed breach, and TheDarkOverlord tweeted that the “clinic didn’t do anything wrong except annoy us.” That annoyance likely stemmed from the fact that the center did not cave to the group’s ransom demands, just like numerous other organizations targeted over the past year.


Other trending cybercrime events from the week include:

  • Payment card breaches continue: Sabre announced that it is investigating a data breach after discovering “unauthorized access to payment information contained in a subset of hotel reservations processed through our Hospitality Solutions SynXis Central Reservations system.” More than 32,000 properties use Sabre’s SynXis reservations system, which is described as an inventory management Software-as-a-Service application. Sabre told customers that the unauthorized access has been “shut off” and that there are not any additional details to share at this time.
  • Numerous ransomware infections reported: An April 22 ransomware infection at electronic health records vendor Greenway Health disrupted services to 400 client organizations using the vendor’s Intergy cloud-hosted platform, and half of those customers were still waiting to have a full EHR services restored on Monday, May 1. Pekin Community High School’s computer systems were infected with ransomware, and the actor demanded $37,000 in order to restore the encrypted files. Ransomware infected the computer systems of Cambrian College in Ontario and demanded a $54,000 payment. The school’s web portals, grade report, and student learning management systems were disrupted, and final grades and spring semester registration had to be postponed for several days. The law firm Moses Afonso Ryan Ltd was infected with ransomware last year that demanded a $25,000 ransom payment, and after paying a negotiated ransom payment the firm then had to renegotiate an additional payment when the first key purchased to decrypt the documents did not work.
  • Large amounts of data exposed: Around 135 million Aadhaar ID numbers and around 100 million bank account numbers have been leaked from four Indian government portals, according to a report released by The Centre for Internet and Society. The four government portals examined in the report include: National Social Assistance Programme, National Rural Employment Guarantee Act, Daily Online Payment Reports under NREGA, and Chandranna Bima Scheme. Data belonging to Alliance Direct Lending Corporation was found publicly available online and as a result at least 550,000 customers have had their personal information exposed. According to MacKeeper, the leaked data contained 124 files (with five to ten thousands records each) that contained financing records broken down by dealerships as well as 20 audio recordings of customers agreeing to auto loans or refinancing of auto loans.
  • Other notable cybercrime news: Retina-X Studios announced that in February 2017 a malicious actor was able to break into a server that held database tables for its Net Orbit, PhoneSheriff, and TeenShield products, and the actor then wiped “any data that he was able to force access to.” According to the company, the actor was able to find a vulnerability in a decompiled and decrypted version of a now-discontinued product in order to achieve the unauthorized access. Grey Eagle Resort & Casino in Calgary has had an additional 1.7 GB of data dumped, and the hackers behind the dump indicated that the data would be uploaded to torrent sites “soon” and that more data dumps would follow in the coming weeks. The casino initially had data released by hackers in January, and the new dump appears to include more data that was stolen prior to the first leak.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-05-05_RiskScoresSeveral recent cybercrime events have proven that although two-factor authentication is an effective way to prevent fraudulent transactions, malicious actors are focusing their efforts on ways to defeat that increasingly popular layer of security.

German newspaper Süddeutsche Zeitung reported that customers of O2-Telefonica had funds removed from their bank accounts due to malicious actors exploiting a flaw in  Signalling System No. 7 (SS7) — which is used by telecom companies around the world use to ensure their networks interoperate — in order to intercept the text message authentication codes sent to customers and then use those codes to successfully steal funds from customers’ bank accounts. The attack was carried out from the network of an unnamed “foreign provider,” and one expert told the German paper that  insider access could be bought for as little as €1000 in order to carry out similar attacks.

The flaw in SS7 has been known since 2014, and in 2015 60 Minutes aired a segment in which researchers demonstrated how U.S. Representative Ted Lieu’s phone messages and conversations could be intercepted. Lieu said the recent theft is yet another example of the insecurity of text-based, two factor authentication:

“Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.”

In addition, the UK’s National Fraud & Cyber Crime Reporting Centre is warning that malicious actors are continuing to use “SIM splitting” attacks to take control of victims’ phone numbers, authenticate transactions, and steal money from bank accounts. Like the SS7-based attacks, malicious actors first gain access to the victim’s bank accounts via phishing, malware, or cybercriminal markets — but in this case the actors then successfully report their phone lost or stolen in order to active the SIM card on a new phone and intercept communications. The fraudsters then transfer money from the victim’s account to a parallel business account they opened, and when the bank calls or texts to verify the transactions, they are in control of the victim’s phone number and can confirm the fraudulent transactions. In both cases, malicious actors have proven that they can successfully circumvent two-factor authentication with a little extra legwork.

Weekly Cyber Risk Roundup: Russian Hacking and New Extortion Campaigns

This week’s top trending cybercrime story is a hack that wasn’t: Vermont’s Burlington Electric Department. A December 30 Washington Post story falsely claimed that Russian threat actors had penetrated the U.S. power grid via the Vermont utility. That story has since been widely debunked, as the alleged international hacking incident was set off by a department employee simply checking his Yahoo email account. The employee’s actions triggered an alert, as it matched an IP address tied to indicators of compromise released by the Department of Homeland Security related to the alleged Russian hacking around the U.S. presidential election.

2017-01-06_ITT.png“We uploaded the indicators to our scanning system to look for the types of things specified,” Burlington Electric Department general manager Neil Lunderville told Fortune. “Then sometime on Friday morning, when one of our employees went to check email at Yahoo.com, our scanning system intercepted communications from that computer and an IP address listed in the indicators of compromise. When warned of that, we immediately isolated the computer, pulled it off the network, and alerted federal authorities.”

The incident involved a single computer not even connected to the grid control systems, he added.

The false story comes on the heels of a report issued by DHS and the FBI on Grizzly Steppe, the U.S. code name for the malicious cyber activity carried out by the Russian civilian and military intelligence services. That interference led President Barack Obama to sanction four Russian individuals and five Russian entities, as well as to order 35 Russian diplomats to leave the country and close two Russian compounds.

Intelligence officials testified before Congress on Thursday, and Director of National Intelligence James Clapper said that Russia’s role included hacking and the ongoing dissemination of “fake news.” Thursday also saw the resignation of former CIA director James Woolsey from Donald Trump’s transition team over what the Chicago Tribune described as “growing tensions over Trump’s vision for intelligence agencies.”


Other trending cybercrime events from the week include:

  • Bugs and mistakes expose sensitive data: A bug in Nevada’s website portal exposed the personal data of more than 11,700 medical marijuana dispensary applications. Data related to healthcare professionals deployed within the U.S. Military’s Special Operations Command (SOCOM) was publicly exposed due to an unprotected remote synchronization service tied to Potomac Healthcare Solutions, which provides healthcare workers to the U.S. government through Booz Allen Hamilton. More than 10,000 invites to collaborate on Box.com accounts or documents were indexed and discoverable on search engines, including some documents containing sensitive financial and proprietary company information. PakWheels, an automotive classified site in Pakistan, announced a data breach due to a vulnerability in outdated vBulletin forum software.
  • Payment card breaches: British multinational hotel company InterContinental Hotels Group (IHG) is investigating a possible payment card breach after being notified of fraud patterns observed on credit and debit cards used at some IHG properties in the U.S., particularly Holiday Inn and Holiday Inn Express hotels. Topps announced a data breach affecting payment card and other data entered by customers when placing orders via its website. The incident was discovered in October and affects orders made through the Topps website between approximately July 30, 2016, and October 12, 2016.
  • Defacements and downtime: The Google Brazil domain was unavailable for 30 minutes on Tuesday afternoon due to a DNS attack that directed visitors to a defacement page. The official website of the Philippine military was defaced on December 30 by a hacker with the online handle “Shin0bi H4x0r.”
  • Ransomware updates: A ransomware infection at Los Angeles Valley College blocked access to emails, voicemail and computer systems as the computers of as many as 1,800 full-time faculty and staff could be infected. Ransomware actors are calling education establishments and claiming to be from the Department of Education, Department for Work and Pensions, and telecoms providers in order to obtain the contact information of the head teacher or financial administrator to attempt a ransomware infection.
  • Other breach announcements: Northside Independent School District is notifying 23,000 current and former students and employees that their information may have compromised after an investigation of an August 2016 compromise of employee email accounts turned out to be a more widespread breach. The founder of KeepKey said his company email and phone were temporarily compromised on December 25, and the attacker reset accounts linked to the email address and was able to access several channels for a short period. Recent widespread electricity cuts across Istanbul have been attributed to a major cyber-attack, according to sources from the Energy Ministry. The New Hampshire Department of Health and Human Services is notifying 15,000 individuals that their personal information was exposed when a former patient at New Hampshire’s state psychiatric hospital posted information he had previously stolen to a social media website. The Organization for Security and Co-operation in Europe has recently confirmed that it was hit by a major cyber-attack in the first weeks of November when hackers managed to “compromise the confidentiality” of its IT network.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-01-06_riskOrganizations once again are being blackmailed by threat actors who are either threatening to release stolen data or else holding data hostage unless a ransom payment is made.

TheDarkOverlord is continuing its well-established tactic of hacking, extorting and then dumping data on a variety of targets. According to databreaches.net, “TDO appears to have dumped pretty much everything of any significance from two of the previously disclosed victims companies, Pre-Con Products, LTD, and G.S. Polymers, Inc. Other entities whose data TDO dumped include PcWorks, L.L.C. (in Ohio), International Textiles & Apparel, Inc. in Los Angeles, and UniQoptics, L.L.C. in Simi Valley.”

A new extortion campaign is being carried out by an actor using the name “Harak1r1.” The hacker is hijacking insecure MongoDB databases, stealing the data, and replacing the data with a single table and record called “WARNING.” The actor then attempts to extort the victims to recover their data. Researchers said the campaign is ongoing and that between Tuesday and Wednesday the number of compromised databases rose from around 2000 to more than 3500. The actor requests a 0.2 bitcoin ransom payment for victims to regain access to the files, which at least 17 companies have paid. The actor appears to be manually selecting the targets based on databases that appear to contain important data, according to Victor Gevers, co-founder of GDI Foundation.

Interestingly, it appears that a second threat actor may be using the same tactic, but charging 0.5 bitcoin instead, according to a Wednesday tweet addressed to Gevers.


As of Saturday afternoon, the second bitcoin address had 11 bitcoin transactions totaling 3.31 bitcoins, so it is possible that more victims are making ransom payments.

2017 Cyber Forecast: Blackmail Using Media and Sensitive Data Will Grow

The end of the year is drawing nearer, and with that comes a handful of traditions: family gatherings, eggnog by the fire, and everyone’s annual list of cybersecurity “predictions.” While it’s a bit semantic, I’m personally not a big fan of the term “predictions.” As someone who lives in the intel world, it’s more about looking at the data and making forecasts using probabilities. In all of the cyber threat intelligence that we provide our customers, we include a confidence level based on what we’re seeing and the probability of that threat impacting a specific customer.

I start out with the above just to level set the rest of this blog (and the next several blogs around 2017 cyber forecasts). When it comes to identifying trends and making a forecast on probability of what threats make waves in 2017, based on the success of ransomware attacks I have moderate confidence that we will see growth of more traditional extortion-related cybercrime.

SurfWatch Labs has seen a steady growth in the number of targets publicly associated with extortion, blackmail and ransoms over the past few years, and we expect that number to rise even higher in the coming year.

Extortion-related crimes are on the rise (note: 2H 2016 data includes intelligence collected through December 7).

One of the best and most recent examples of malicious actors using extortion is the hacking group known as TheDarkOverlord, which has breached, attempted to extort and then publicly shamed a variety of organizations over the second half of 2016.

The latest incident is the November breach of Gorilla Glue. TheDarkOverlord claimed to have stolen more than 500 GB of data, including research and development material, intellectual property, invoices and more. The group then offered Gorilla glue its signature “business proposition.” As we wrote in a SurfWatch Labs blog earlier this year, the proposition is simple: pay the blackmail or face further data leaks and public shaming. After what TheDarkOverlord described as “a moderate dispute” with Gorilla Glue over payment — we’re guessing Gorilla Glue refused to pay — TheDarkOverlord shared a 200 MB cache of files with the media to help spread the story.

The evolving use of the media is actually one of the more interesting tactics used by TheDarkOverlord and other successful extortion groups this past year. Extortionists have referenced news coverage in their demands, prompted users to research past victims, and impersonated cybercriminals with established media coverage — all in an effort to lend credibility to their threats.

For example, back in April CloudFlare reported that a group using the “Armada Collective” name was blackmailing businesses with an extortion email that read, in part:

We are Armada Collective.


Your network will be DDoS-ed starting [date] if you don’t pay protection fee – 10 Bitcoins @ [Bitcoin Address].

If you don’t pay by [date], attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.

This is not a joke.

The link in the email led to a Google search of the group, allowing victims to quickly see that some security researchers had described Armada Collective as a “credible threat.” Except the attackers were not part the original Armada Collective. They were copycats simply exploiting the original group’s already established name. As CloudFlare later discovered, there was not “a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack.” Despite the lack of follow through, the group managed to extort hundreds of thousands of dollars from the victims.

Leveraging the media in that manner is something the SurfWatch analyst team has observed more frequently over the past year. However, news outlets and victims are starting to become more skeptical of claims. That’s one of the reasons threat actors such as TheDarkOverlord have evolved their tactics to establish a more direct and somewhat dysfunctional “relationship” with the media. Bloggers and news outlets get access to a direct source of stolen data that can help help generate headlines. Extortion groups receive the platform necessary to incite worry in the partners and consumers of the victim organization, adding pressure to pay extortion demands.

With cybercrime events seeing more mainstream coverage each year and extortion proven to be a successful, low-effort tactic, expect that dysfunctional relationship to continue to develop in the coming year. Extortion has proven particularly useful when it comes to the theft of sensitive customer data as it provides multiple additional ways for a threat actor to monetize information. If the victim organization doesn’t provide immediate compensation via an extortion payment, individual customers may then become targets of blackmail — sometimes years into the future.

Adultery site Ashley Madison announced its data breach in the summer of 2015, but individuals exposed in that breach were still being sent blackmail letters and emails nearly a year later. Some victims reported that when they didn’t pay, the blackmailers then followed through on their threats by sending letters about the individuals’ alleged infidelity to family, friends, and workplaces.

More recently, hackers stole customer information from Valartis Bank Liechtenstein and were reportedly threatening individual customers — including politicians, actors and high net worth individuals — that their personal information will be leaked if they do not pay 10 percent of their account balances in ransom.

These extortion and blackmail attempts are not nearly as prevalent as ransomware, but they follow the same principle of quick and easy monetization via the victims themselves. The past year has proven that the media can be successfully used as a tactic to better extort both organizations and individuals, particularly when it comes to sensitive information that may lead to brand damage or embarrassment. That trend will likely grow in 2017 as threat actors look to take advantage of every avenue when attempting to monetize future data breaches.

Stolen Data, Extortion and the Media: A Look at TheDarkOverlord

After making headlines by targeting a number of healthcare organizations over the summer, the cybercriminal actor known as TheDarkOverlord re-emerged last week with a new victim: California investment bank WestPark Capital.

As we noted in last week’s cyber risk roundup, the leak of documents from WestPark Capital is the first time SurfWatch threat analysts have observed TheDarkOverlord targeting the financials sector. The approximately 20 documents leaked so far — several of which have been confirmed to be legitimate by various news sources — include items such as non-disclosure agreements, meeting agendas, contracts and more.

“WestPark Capital is a ‘full service investment banking and securities brokerage firm’ whose CEO, Richard Rappaport, spat in our face after making our signature and quite frankly, handsome, business proposal and so our hand has been forced,” TheDarkOverlord wrote on Pastebin.

TheDarkOverlord ended its post by reiterating a simple message to current and future victims: “pay up.”

TheDarkOverlord’s Signature “Business Proposal”

Like previous attacks from TheDarkOverlord, it appears that the actor first tried to quietly extort the victim company with stolen data, and like previous victims, WestPark Capital refused to pay the ransom. As a result of non-payment, TheDarkOverlord published a portion of the stolen data. This publication may serve several purposes for TheDarkOverlord. First, it generates media attention around the breach that can be used to pressure WestPark Capital into paying the ransom before more damage is done. Second, and perhaps more importantly, it helps establish TheDarkOverlord as a credible threat when it comes time to extort the next victim.

This tactic was noted by SurfWatch threat analysts back in July, when TheDarkOverlord’s targeting of healthcare organizations pushed the actor into the spotlight.

TheDarkOverlord posted several stolen healthcare databases for sale on TheRealDeal Market this summer. The largest set of data was listed at 750 bitcoin, or nearly half a million dollars.

“There is suspicion that TheDarkOverlord is using the media to apply pressure to breached organizations to pay the actor’s extortion threats,” SurfWatch Labs wrote in a customer alert. “It is a plausible scenario that the actor’s true monetary motivation is to receive payment from breached organizations rather than sell the data openly on the Dark Web, especially at the high price the actor has set, which insinuates that the advertisements are primarily meant as a marketing tool.”  

TheDarkOverlord has been particularly adept at generating media attention through a combination of high initial prices on the stolen data, leaking portions of that data, and being available to various news outlets in order to push the actor’s extortion agenda.

For example, one of the first databases the group put up for sale belonged to a healthcare organization in Farmington, Missouri. Several days later, after several news stories had identified the name of that organization as Midwest Orthopedic Clinton, TheDarkOverlord took to publicly shaming the victim.

A healthcare database posted for sale on TheRealDeal Market by TheDarkOverlord.

“[Owner] Scott a. Vanness should have just paid up to prevent this leak from happening,” TheDarkOverlord told The Bitcoin News. “He can still salvage the rest of the records and save himself from other things that we have made him aware of.” When asked if there would be more data leaked from other companies, the contact wrote back, “If they do not pay yes.”

That message is similar to statements made recently towards WestPark Capital — essentially, pay the extortion or face further leaks and public shaming.

It’s unclear if any previous organizations have paid ransom demands to TheDarkOverlord, but the actor’s statements often appear aimed at addressing future victims.

For example, TheDarkOverlord warned companies in June via DeepDotWeb, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” In addition, TheDarkOverlord told Motherboard that the ransom would be “a modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims.”

Who is the TheDarkOverlord?

TheDarkOverlord portrays itself as a group of hackers — frequently using “we” and “us” in its latest posting; however, TheDarkOverlord has on occasion implied that one person was behind the decision making, as the Motherboard quote above indicates. It’s unclear if TheDarkOverlord is a group of actors or if the language is just another attempt to build up TheDarkOverlord brand as a wide-reaching cyber threat. 

From TheDarkOverlord’s recent Pastebin post on WestPark Capital.

TheDarkOverlord did say that other hackers recently exploited the group’s name in a data breach at St. Francis Health System.

This isn’t surprising as copycat actors often use already-established cybercriminal names. For example, earlier this year a string of attacks used the Armada Collective’s name to successfully extort companies with the threat of DDoS attacks. Actors looking to extort companies can leverage the well-known TheDarkOverlord name to make the threat appear more credible.

Statement from alleged copycat actors, as shown on databreaches.net.

“Although we applaud the individuals for their successful breach (despite how boring SQL injection and the acquisition of non-PII data is) and clever act of pinning this against us, we do not appreciate the unauthorised use of our name,” TheDarkOverlord wrote. “Unlike some laughable and inadequate actors, we are not an ‘idea’ or a ‘collective’ and as such, one shouldn’t operate under our name in order to uphold one simple and easy to follow concept: Honour Among Thieves.”

TheDarkOverlord does have an interesting approach to extorting companies. Unlike the former Armada Collective’s DDoS attacks or the ongoing surge of ransomware attacks — which actually disrupts service and prevents customers or employees from accessing resources — TheDarkOverlord has relied on a more traditional blackmail approach of causing damage via stolen and leaked data.

At the moment it is unclear how successful that approach is when compared to more disruptive attacks, but if the group and its copycats continue to leverage this approach, one can assume that it must be a profitable avenue of attack.

Supply Chains and Third Parties Continue to Cause Data Breaches

When putting together our recent Mid-Year 2016 Cyber Risk Report, the SurfWatch Labs team began by trying to answer one crucial question: with numerous cybercrime events across thousands of organizations this year, is there a central theme that emerges from all of that data?

In 2014, the data was dominated by a seemingly endless string of point-of-sale breaches. In 2015, the data highlighted a shift towards stolen personal information and more effective ways for cybercriminals to monetize that information. In 2016, the data so far showcases how cybercrime effects often spread beyond the walls of the victim organization.

“The diversity of cyber threats can seem overwhelming when viewed in isolation,” the report noted. “Collectively, they paint a picture of an increasingly connected cybercrime world. Malicious actors excel on taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. The stories so far in 2016 clearly demonstrate this approach, with numerous cyber incidents tied to previous data breaches.”

In fact, the number of cybercrime targets tied to “third-party” tags spiked the month before we published our report. As we noted in our previous blog, many of these incidents were connected to previous data breaches and the tactic of “credential stuffing” — where automated tools are used to exploit large batches of known user credentials to discover new accounts to take over.

SurfWatch Labs collected data on more industry targets tied to “third-party” data breaches in June than any other month so far in 2016.

On Tuesday another company was added to the growing list of third-party victims after its customer data was discovered being sold on the dark web. This time it was UK telecommunications company O2. Once again, the incident was attributed to credential stuffing.

“We have not suffered a data breach,” O2 said in a statement. “Credential stuffing is a challenge for businesses and can result in many [companies’] customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”

As the BBC noted, “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago.”

Although the company wasn’t directly breached, UK Telecom O2 had customer information for sale on the dark web due to data breaches at other organizations and “credential stuffing.”

That XSplit breach occurred in November 2013 and affected 2,983,472 accounts, according to Have I Been Pwned? The breach led to names, email addresses, usernames and hashed passwords being compromised.

That batch of three-year old credentials appears to be the cause of the current breach of O2 accounts — as malicious actors leveraged that old information in order to gain even more personal information on the victims. In addition to names, email addresses and passwords, the O2 accounts for sale on the dark web include users’ phone numbers and dates of birth.

This is a similar scenario to what happened at LinkedIn, the most discussed company related to cybercrime so far this year. A 2012 data breach exposed more than 100 million user credentials. Over the past few months we’ve seen a variety of companies force password resets or otherwise report data theft due to those four-year-old credentials still being reused by customers or employees.

In short, old data breaches are leading to a surge of fresh attacks. However, credential reuse isn’t the only concrete example of the ripple effect of cybercrime, although it certainly is a major issue. This year has also seen more traditional incidents of supply chain cybercrime — where one partner or vendor is exploited to compromise another organization. In fact, SurfWatch Labs has collected data on “third-party” cybercrime impacting dozens of different industry groups so far in 2016.

While many industry groups have been impacted by “third-parties” this year, Software and IT Services and Consulting are the top trending groups in SurfWatch Labs’ data.

For example, in June we wrote about several healthcare organizations that were victimized by an actor going by the name “TheDarkOverlord,” who was attempting to sell data stolen from healthcare databases on the dark web. This week two of those healthcare organizations publicly confirmed they were victims. As databreaches.net noted, both cited third-parties as a source of the compromise in their repsective statements.

  • Midwest Orthopedics Group: “… To date, our investigation has determined that on May 4, 2016, a hacker, or hackers, likely gained access into our secured database system through a third party contractor and may have obtained some personal information of our patients …”
  • Athens Orthopedic Clinic: “Athens Orthopedic Clinic recently experienced a data breach due to an external cyber-attack on our electronic medical records using the credentials of a third-party vendor. …”

Various agencies and government groups are taking notice of the trend. The Federal Energy Regulatory Commission recently proposed revisions to the critical infrastructure protection (CIP) Reliability Standards, writing in a press release that “recent malware campaigns targeting supply chain vendors highlight a gap in protection under the [current] CIP.” In addition, the new guidelines from the automotive industry’s ISAC call for more transparent supply chains and increased involvement with third-party researchers. Lastly, Air Force chief information officer Lt. Gen. William Bender noted at a recent forum that the supply chain remains a concern that can span across many different companies.

“It’s not just primary vendors, it’s secondary, tertiary and even further down,” he said.

Having threat intelligence on those various partners, vendors and others who may indirectly affect an organization’s cybersecurity is more important than ever. As SurfWatch Labs’ Mid-Year Risk Report concluded, “The effects of cybercrime continue to ripple outwards – affecting those in the supply chain and beyond.” 

Healthcare Databases for Sale on Dark Web, but What Else is Being Sold?

The recent theft and potential sale of various healthcare databases has once again put the sector at the forefront of cybercrime — and makes many wonder how their information is affected by criminal activity on the dark web. While healthcare-related data is not nearly as prevalent on the dark web as other sectors like financial services, SurfWatch Labs has observed a variety of items being offered up for sale in addition to this week’s headline-making healthcare databases.

As previously noted, common threat intelligence found on the dark web includes compromised credentials, stolen financial information, stolen intellectual property, threats stemming from an organization’s supply chain, and information on a wide range of hacking services and other cybercrime tools. These same categories also apply to healthcare organizations.

Over the past year SurfWatch Labs has observed direct healthcare breaches, third-party breaches that have impacted healthcare organizations’ employee accounts, fraudulent prescriptions, and other healthcare-related cyber threats.

What’s Being Sold on the Dark Web Now?

This week, several healthcare databases were put up for sale on the dark web by an actor going by the name “TheDarkOverlord” — along with a hefty price tag for that information.

On Monday, after previously posting three different databases that contain names, addresses, Social Security numbers, birth dates and some phone numbers of 655,000 individuals, the hacker told the Daily Dot that he was sitting on a “large” number of other databases. On Tuesday he followed through on that claim, adding for sale a database of 34,000 records from a New York Clinic as well as a health insurance database with 9.3 million patients, which he said was stolen using a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.” On Wednesday he again made headlines by naming one of the companies breached, Midwest Orthopedic Clinic in Farmington, Missouri, and said that the owner “should have just paid up to prevent this leak from happening.”

According to the post, the 2GB file contains 9,278,352 records and is selling for 750 bitcoin (around $485,000), a far higher price than is typical for items sold via dark web markets.

A posting of more than 9 million records is on the extreme end of the price spectrum, and it could be that the actor is trying to spin up some media attention in order to better extort potential victims or drive future sales — if he is indeed sitting on many more databases to sell.

More typical of the type of healthcare-related information found for sale on the dark web is counterfeit documents and other identity information that can be used for different types of fraudulent purposes, including but not limited to medical. Although this information does not sell for hundreds of thousands of dollars and make national headlines, it is much more prevalent.

For example, fraudulent medical cards from around the world are available for approximately a few hundred dollars.

In the posting below, a vendor is selling a Quebec Medicare card template for $700. “Why is it so good?” the vendor asks rhetorically. “Because it has the latest security features, and is a valid photo ID. Most places will trust the Medicare [card] before they trust the DL [driver’s license] because almost no one makes them.”

The vendor is also selling driver’s license templates, but fraudulent Medicare cards are an easier option for the buyer, he wrote. With this card, all the buyer needs is a hologram overlay (which he conveniently also sells) and an embosser.

Likewise, non state-sponsored health cards are available. The listing below, from a now-defunct dark web marketplace, is selling a U.S. health insurance card for $40.

Why? “These are to provide proof that you have health insurance in the United States,” the seller wrote, adding that an insurance card like the one provided is an excellent way to round out a fake identity. “If a fake ID is questioned, this can be pulled out to back it up and eliminate any question. [It] may save you. In addition it may be used as a secondary form of ID to open up a PO box under a false identity.”

Insurance cards like the one for sale here have a variety of cybercriminal uses ranging from direct medical identity theft to verification purposes in order to perpetrate other forms of fraud.

Some items for sale on the dark web leverage physicians’ identities. The posting below is from a vendor who is currently selling a signed California drug prescription form from a medical group with six different doctors. “These are REAL doctors Rx Scripts, from a REAL CA medical practice,” the vendor wrote. “These are extremely hard to come by.”

The form, which includes up to three prescriptions, is selling for $75, and the vendor will even fill out the script for an extra $100 if the buyers are unsure how to do so.

“The form contains Doctors Names, DEA numbers, and CA license numbers,” the listing reads. “These are signed prescriptions you can fill out yourself for pharmaceuticals in CA, I would like to get rid of these ASAP.”

Additionally, the dark web is often associated with illegal drugs – and for good reason. Reporting on dark web markets such as Silk Road tends to focus on hard drugs; however, prescription drugs are readily available. They can be purchased from a variety of sellers on nearly every dark web marketplace.

This vendor is selling a wide wide range of prescription drugs in different dosages.

Utilizing Cyber Threat Intelligence

In addition to the postings from open marketplaces shown above, there is information to be gained from the private cybercriminal forums and markets on the dark web. As more researchers and law enforcement turn to the dark web for intelligence gathering purposes, cybercriminals have begun to take more precautions. Some markets require a referral to gain access. Some require a user fee. This chatter, both the public postings and more restrictive groups, can provide important insight into the most active cyber threats facing your organization.

For example, SurfWatch Labs has previously observed certain forum members requesting health insurance records from specific companies – presumably to assist in perpetrating insurance fraud as one actor was specifically looking for “high cost treatments.” Knowing which actors are targeting an organization, what those actors are looking for, and other chatter around potential cyber threats can be invaluable when it comes to planning, budgeting and implementing a company’s cyber risk management strategy.

This type of dark web threat intelligence provides direct insight into the malicious actors that target healthcare organizations, and it goes beyond the big ticket items that generate news headlines and spark a national conversation. Those stories are important, but in many ways the dark web shines a light on a cybercrime problem that is much more insidious: death by a thousand cuts.

With so many different threats out there, knowing which threats to focus on is critical. In many ways cybersecurity is simply about effective prioritization, and to that point, cyber threat intelligence and the dark web is a vital aspect.