Hackers hold entire school district to ransom

An entire US school district in Flathead Valley, Montana, shut down for three days after hackers going by the name of “TheDarkOverlord Solutions” targeted several schools, sending death threats to parents and promising to release students’, teachers’ and school administrators’ personal information unless a ransom was paid.

It amounted to disruption of more than 30 schools across the valley, including cancellation of weekend activities and events through the weekend. Classes resumed on Tuesday under heightened security.

Flathead County Sheriff Chuck Curry posted the ransom note on Facebook (with some information redacted), along with a written statement, to alleviate concerns about the physical safety of those in the school community.

The Dark Overlord, or the more ironically titled The Dark Overlord Solutions (if you can stomach the endless ransom letter, which goes on for page after self-congratulatory, self-amusing page, you’ll notice that the group relishes its irony), is a known group.

The Dark Overlord has gone after healthcare organizations.

The group is also responsible for extorting Netflix, though the company refused to pay.

Remember the group that wanted to spoil the release of Season 5 of Orange Is the New Black, back in May? Same group; at least, the group involved in this school attack is going by the same name, and it claimed to be responsible for the Netflix attack in its ransom note.

In spite of having received 50 bitcoins (worth about $50,000 at the time) from an audio post-production studio in Hollywood, The Dark Overlord went right ahead and released the show anyway.

The Dark Overlord spent a week making graphic death threats against children in Flathead County. The threats include the ransom letter’s horrific allusions to Sandy Hook, scene of the mass shooting murders of 20 elementary school children and six adult staff members. In spite of such threats, Sheriff Curry reassured residents that the group isn’t as murderous as it is full of hot air:

We have made the unusual decision to release the ransom demand letter. We feel this is important to allow our community to understand that the threats were not real, and were simply a tactic used by the cyber extortionists to facilitate their demand for money.

We have also discovered that they have frequently failed to live up to their promises to not release the stolen data in the past, even when their ransom demands have been met.

We fully understand the concern and fear that has resulted from this cyber-attack, and want the community to know that all the valley law enforcement agency heads feel there is no threat to the physical safety of our children.

Sheriff Curry said that the group is already under multiple investigations elsewhere in the US but that it’s located outside of the country.

The hacking group managed to infiltrate the Columbia Falls school district server in order to steal personal information that included addresses, medical records, behavioral records and more for past and present students, staff and parents. More than 15,000 students were affected by the school closures, which included cancellation of away games.

This isn’t just your run-of-the-mill blackmail. If the extortion is in fact coming from the well-known hacking group, it’s the first time they’ve added death threats to the mix.

A local newspaper, the Flathead Beacon, quoted Zuly Gonzalez, co-founder and CEO of Maryland-based cyber security firm Light Point Security, who’s familiar with The Dark Overlord’s modus operandi:

I’ve never heard of them actually threatening anybody’s lives, especially children… Usually these groups aren’t really designed to do that type of stuff.

The Dark Overlord is, as far as law enforcement can determine, overseas. They’re not close enough to carry out physical harm. Hopefully, that will lessen the fear that parents must have felt when they received threats against their children’s lives.

Gonzalez thinks it likely that the targeting of Flathead schools was random. These groups go after the low-hanging fruit, she says, which means networks that didn’t have proper protection in place to guard against malware, for example.

Defensive measures

As ransom attacks continue, it’s clear that there’s far more that we have to do to protect data than to buy up digital currency and plan to pay ransom to crooks – and yes, there are many organizations that are doing just that.

The problem is that paying ransom a) doesn’t ensure that the extortionists will actually release your data – consider The Dark Overlord as a prime example – and/or b) doesn’t ensure that the crooks won’t come back looking for more money in the future, and/or c) invites future attack.

This attack is different from a typical ransomware attack, were the crooks don’t steal your data and threaten to release, but lock it up and make you pay to recover it. Nevertheless, both sorts of attack depend on the same precursor, namely that the crooks get unauthorized access to, and control over, your data for long enough to blackmail you as a result.

So we’re repeating our popular anti-ransomware advice here, even though this wasn’t a ransomware incident – after all, computer security is largely about keeping the bad guys out, and the good stuff in: