Tag Archives: Dark Overlord

Hackers Shut Down Entire School District For Days

All schools in Flathead County, Montana schools were closed on September 14 and 15 and all extracurricular activities and athletic events cancelled as a result of a ransom threat from the well known hacker(s) called The Dark Overlord.

This was not a ransomware attack where the district’s data would have been encrypted, demanding a ransom to decrypt it.

Instead the hackers broke into the district’s server (the district has 15,000 students;  I suppose it is possible that it only has one server, or at least the server they hacked had those records in it) and stole addresses, medical records, behavioral records, and other data from past and present students, staff and parents.

They sent threatening messages to parents saying that the hackers would kill as many people as possible if the ransom was not paid.

The hackers demanded $75,000 in Bitcoin if paid quickly, $100,000 in Bitcoin if someone wrote an embarrassing letter and $150,000 in Bitcoin if paid out over a year.

Given that the ransom notes were sent to parents, the cat was out of the bag.  The Sheriff decided, as a result, to release the ransom note sent to the District Board.

Historically, The Dark Overlord – if that who is really doing this – has not resorted to threatening to kill people.  This would be a new low.

After several days, the police, working with other law enforcement agencies, decided that the hacker(s) were not local to northern Montana and therefore, as a result, would not realistically be able to carry out the threat to  kill children and schools resumed after being closed Thursday and Friday and sports and extracurricular events being cancelled on Saturday and Sunday as well.

The hacker(s) contacted the Flathead Beacon, the local newspaper and in a conversation, the hacker(s) said the goal was to kill as many people as possible in a place where no one would expect.

The hacker said that he wanted people to live in a state of fear before he makes his move.

When asked if this was politically motivated, the hacker claimed that the goal was to exterminate human life and smear the government.

Law enforcement said that all district schools were taking necessary precautions to ensure that no data breach occurs.  I am somewhat skeptical of this claim, unless they turned off and unplugged all the other computers, since the district was already breached.

Law enforcement said that they feel that there is no threat to the physical safety of our children.

This is totally a crap shoot on their part.  The odds are in their favor, which is a good thing, but there are no guarantees.

That fact is a problem.  I am going to side with them and hope this is an empty threat.  At least this time.

As long as organizations make it as easy as taking candy from a baby to break into their computer networks, they are making it easy for the hackers.  Once hackers are armed with stolen data (either by encrypting it or actually stealing it), they have many more options than before.

Hopefully, this is a one-off and not a trend and hopefully this is one mentally deranged individual, but whether that is true is unknown.

Whatever this is, it is certainly an escalation of hostilities.  *IF* this an indication of what hackers might do in the future, that represents a scary future.

Assuming this was a target of opportunity, and it likely was  – a small school district in rural Montana is unlikely to be a strategic target – then our objective has to be to make it difficult for that random cyber attack to succeed.

Information for this post came from the Flathead Beacon and Naked Security.

Gorilla Glue Cannot Stop Hackers

The hacker group The Dark Overlord claims to have hacked Gorilla Glue and has stolen, they claim, over 500 GB of intellectual property.

As I have said many times, the theft of intellectual property is a way bigger problem than the theft of credit cards.

If someone steals your credit card, you whine at the bank, they cancel your old one and overnight you a new one.  In the worst case, you are out $50 under federal law.  Maybe if your bank is cheap, you have to wait a few days for a new card.

If someone steals your intellectual property (IP) there is no putting that genie back in the bottle.  Once your product design or salary information or whatever is out, you cannot reel it back in.

In this case, The Dark Overlord claims to have stolen “everything they have ever created“.   They say it includes research and development information, IP, product designs, and access to dropbox and personal email accounts.  The personal email accounts are typically the place where password reset requests are directed, so that is particularly troublesome.  Plus it could include adult pictures, if the celebrity iPhone hacks from a couple of years ago are any indication.

The Dark Overlord sent Motherboard a cache of 200 MB worth of the data that was stolen (out of the 500 gig).  The information includes financial spreadsheets, invoices, strategy documents, presentations, contracts with banks and other material.  Motherboard says this material does not appear to be available anywhere on the Internet.

Motherboard contacted a number of people at Gorilla Glue and also the FBI, but no one is talking, which is not really a surprise if they are negotiating with the hackers.

Among the data in the small cache is pictures of Gorilla Glue executives’ family members.  If that isn’t scary, I am not sure what is.  Motherboard was able to find other pictures of some Gorilla Glue exec’s families to validate those pictures are real.

So what we have here is a family owned company that was apparently totally hacked.  All of their IP, financial info, R&D and likely customer information was all stolen.  Pictures of company executives families were also vacuumed up.

And, it appears, the hackers are negotiating a price to not release this information.  The hackers said that they have offered Gorilla Glue “a handsome business proposition”.

How many zeros are in that invoice are not clear, but I am sure this is not a $500 ransomware invoice.

This is the second item this week where hackers stole information and are now trying to extort the business in exchange for not releasing the information.

Of course, you have to trust the extortionists, so even if you do pay, what confidence do you have that they won’t release the information, use it themselves for nefarious purposes or sell it quietly to other hackers?  The answer is ZERO!

Do you have a plan of action if hackers stole every bit of digital information your company has?  I didn’t think so.  It is a worst case scenario for most companies.

That doesn’t mean that you should not have a plan.  In fact, you should.  This should be a scenario that you test in your incident response annual exercise.

Information for this post came from Motherboard.


Hackers Extort Atlanta Medical Clinic

Peachtree Orthopaedic Clinic, announced a breach last month.  Now the hackers behind the attack, the Dark Overlord, say that the clinic owner has not paid the ransom – 83 bitcoins or around $60k – and they are threatening to release more records.  Last month they released names, birth dates, addresses, prescription info and socials of a group of patients.

They claim to have taken more than a half million records, including the prescription history for a number of professional athletes.

The hackers say that Michael Butler, the CEO of Peachtree, promised to pay 83 bitcoins, but has not done that.

The hackers say that they will release more and more records in an effort to get the clinic to pay the ransom.  One would think that with pro athletes in the mix, paying $60k to keep your drug habits out of public scrutiny, even if everything you are taking is legal,  Of course, we don’t know if the $60k is a down payment or whether the hackers will be happy with that much money.

For any organizations storing sensitive customer data, this should be a warning.  How would you deal with an event like this, going on for more than a month with no resolution.

Some hackers have figured out that an easier way to monetize stealing your data may be to extort you instead of selling your data.  It is not at all clear what the end game with be with Peachtree Orthopaedic, but it is clear that it will be messy no matter how it turns out.  Not only have they been dealing with hackers for a month, but they have been dealing with the FBI trying to figure out who the hackers are.

If your company had to deal with the same situation as Peachtree has been dealing with for a month or more, how well prepared are you?  What do you tell your clients?  What are your employees supposed to do?  It has to be a huge distraction.

At this point, Peachtree is likely unclear as to exactly what data the hacker has and whether the hacker will release the private data on your most privacy sensitive clients – pro athletes.  They may have a half million records.  Or they may not.  This is dragging on beyond what seems reasonable.  One guess could be that they don’t really have the data, but that is a dicey bet if you guess wrong.

Stay tuned!

Information for this post came from Motherboard.