An entire US school district in Flathead Valley, Montana, shut down for three days after hackers going by the name of “TheDarkOverlord Solutions” targeted several schools, sending death threats to parents and promising to release students’, teachers’ and school administrators’ personal information unless a ransom was paid.
It amounted to disruption of more than 30 schools across the valley, including cancellation of weekend activities and events through the weekend. Classes resumed on Tuesday under heightened security.
Flathead County Sheriff Chuck Curry posted the ransom note on Facebook (with some information redacted), along with a written statement, to alleviate concerns about the physical safety of those in the school community.
The Dark Overlord, or the more ironically titled The Dark Overlord Solutions (if you can stomach the endless ransom letter, which goes on for page after self-congratulatory, self-amusing page, you’ll notice that the group relishes its irony), is a known group.
The Dark Overlord has gone after healthcare organizations.
The group is also responsible for extorting Netflix, though the company refused to pay.
Remember the group that wanted to spoil the release of Season 5 of Orange Is the New Black, back in May? Same group; at least, the group involved in this school attack is going by the same name, and it claimed to be responsible for the Netflix attack in its ransom note.
In spite of having received 50 bitcoins (worth about $50,000 at the time) from an audio post-production studio in Hollywood, The Dark Overlord went right ahead and released the show anyway.
The Dark Overlord spent a week making graphic death threats against children in Flathead County. The threats include the ransom letter’s horrific allusions to Sandy Hook, scene of the mass shooting murders of 20 elementary school children and six adult staff members. In spite of such threats, Sheriff Curry reassured residents that the group isn’t as murderous as it is full of hot air:
We have made the unusual decision to release the ransom demand letter. We feel this is important to allow our community to understand that the threats were not real, and were simply a tactic used by the cyber extortionists to facilitate their demand for money.
We have also discovered that they have frequently failed to live up to their promises to not release the stolen data in the past, even when their ransom demands have been met.
We fully understand the concern and fear that has resulted from this cyber-attack, and want the community to know that all the valley law enforcement agency heads feel there is no threat to the physical safety of our children.
Sheriff Curry said that the group is already under multiple investigations elsewhere in the US but that it’s located outside of the country.
The hacking group managed to infiltrate the Columbia Falls school district server in order to steal personal information that included addresses, medical records, behavioral records and more for past and present students, staff and parents. More than 15,000 students were affected by the school closures, which included cancellation of away games.
This isn’t just your run-of-the-mill blackmail. If the extortion is in fact coming from the well-known hacking group, it’s the first time they’ve added death threats to the mix.
A local newspaper, the Flathead Beacon, quoted Zuly Gonzalez, co-founder and CEO of Maryland-based cyber security firm Light Point Security, who’s familiar with The Dark Overlord’s modus operandi:
I’ve never heard of them actually threatening anybody’s lives, especially children… Usually these groups aren’t really designed to do that type of stuff.
The Dark Overlord is, as far as law enforcement can determine, overseas. They’re not close enough to carry out physical harm. Hopefully, that will lessen the fear that parents must have felt when they received threats against their children’s lives.
Gonzalez thinks it likely that the targeting of Flathead schools was random. These groups go after the low-hanging fruit, she says, which means networks that didn’t have proper protection in place to guard against malware, for example.
Defensive measures
As ransom attacks continue, it’s clear that there’s far more that we have to do to protect data than to buy up digital currency and plan to pay ransom to crooks – and yes, there are many organizations that are doing just that.
The problem is that paying ransom a) doesn’t ensure that the extortionists will actually release your data – consider The Dark Overlord as a prime example – and/or b) doesn’t ensure that the crooks won’t come back looking for more money in the future, and/or c) invites future attack.
This attack is different from a typical ransomware attack, were the crooks don’t steal your data and threaten to release, but lock it up and make you pay to recover it. Nevertheless, both sorts of attack depend on the same precursor, namely that the crooks get unauthorized access to, and control over, your data for long enough to blackmail you as a result.
So we’re repeating our popular anti-ransomware advice here, even though this wasn’t a ransomware incident – after all, computer security is largely about keeping the bad guys out, and the good stuff in:
Mahhn
Okay NSA and CIA, lets see you do something useful. Lock up these punks by Monday.
I really hope you do, but my confidence in thousands of government techs with billions in budget, is less than I have in one (BK) reporter’s ability to research.
Bryan
You mentioned recently how the advertising cabal have been sniffing their own farts, but OMG that ransom letter. Lisa wasn’t joking. The description “TL;DR” was invented for that letter.
Zack
It seems very strange that they only wanted $150 USD in bitcoins, or $75 if they did it quickly. That a drastically low price for most ransomware, and very strange coming from TheDarkOverlords who received $50k BTC earlier in the year. You would think they would be asking for more with the information they have.
The Ransom note in general was like reading something an edgy 14 year old wrote. Like I couldn’t stop myself from laughing and rolling my eyes while reading this. All of this makes me wonder if this may be a poser and not the real “DarkOverlords”.
Anonymous
I think you will find some countries use a dot like the US use the comma, so that’s $150,000 USD.
Could be a sign to back up the theory they are not local to the US.
Paul Ducklin
There’s also the fact that the amount is written with the currency designator after the number, and that it uses the currency code “USD” as though “$” alone might not be specific enough – like this: 150.000 USD. The datestamp is written in a global style using UTC, which Americans tend not to do, being wedded to DDMM and the 12-our clock. Also, there’s “honour” for “honor”. Yet the writer gives the impression of being a fluent speaker of English living in North America.
At the risk of sounding a bit cheeky, my first thought was “Anglophone Canadian from Québec.” But that would be a trivial ruse for any US Angplohone to use to mislead the reader, of course, so let’s just stick with that as a cheeky suggestion :-)
Wilderness
People have no shame these days. Hunt their cowardly rumps down and toss them in prison.
Max
It’s one thing to steal some entertainment content, but to go after healthcare organisations and threaten children’s lives. Is there no “honor among thieves” type of hacker group out there to do some digging? At least if the fancy well funded above the law government agencies aren’t able to do it, despite having all the data in the world “to protect us”.
Alex Insley
Can we accurately use the term ransomware here? I don’t see any indications that systems were locked out until a ransom was paid, only that data was stolen and extortion was attempted. Can someone comment on this?
Paul Ducklin
Point taken. We’ve tweaked it to make it clear why we’re giving anti-ransomware advice even though the word “ransomware” doesn’t fit this crime.
Bob King
Stop using Windows. Problem solved