[BreachExchange] Hollywood Studio Hit By Cyber Extortion Says: 'Don't Trust Hackers'

[Audrey McNeil]

http://www.databreachtoday.com/blogs/hollywood-studio-
hit-by-cyber-extortion-says-dont-trust-hackers-p-2500

The back story behind the ransom attack that led to the unauthorized early
release of the Netflix TV series "Orange Is the New Black" is a cautionary
tale in dealing with cyber extortionists such as The Dark Overlord.

In an exclusive story, the publication Variety tells the tale of Larson
Studios, a Hollywood post-production facility that saw three dozen titles,
including the forthcoming season of the dark prison comedy, stolen from its
network by The Dark Overlord.

The company's owners, Jill and Rick Larson, say they transferred $50,000
worth of bitcoin to the attackers in an attempt to prevent the release of
stolen content, Variety reports. But The Dark Overlord released the series
to file-sharing networks anyway.

The Dark Overlord, which is suspected to be a small group of hackers,
gained notoriety in 2016 for its ruthless attacks on small organizations,
such as medical clinics. The group contacts the organizations, announces
data has been stolen, and demands a ransom payment. If the ransom isn't
paid, the stolen data is often dumped online. In several cases, highly
sensitive medical and personal data has been leaked, with victims often
unaware of the breaches (see Here's How a Hacker Extorts a Clinic).

In the latest incident involving The Dark Overlord, data on several
celebrities from a California vision clinic was dumped.

Security experts who've analyzed some of The Dark Overlord's attacks say
the group typically hits organizations that have made relatively elementary
security errors.

I chatted with a purported member of The Dark Overlord last month on
instant messaging. The person confirmed for me that he or she had control
over a Twitter account (@tdohack3r) that has frequently posted stolen data.
Twitter recently suspended the account.

"Some operations are easier than others and require far less effort, mind
you," the member of The Dark Overlord told me.

The Larson Studios hack was no different. Variety reports that the group
apparently came across a Window 7 machine belonging to the small company.
Microsoft ended mainstream support for Windows 7 in January 2015, but the
operating system still receives monthly security patches.

Whether Larson Studios regularly patched the machine is unclear, but it was
isolated as the point of intrusion by The Dark Overlord. From there, it
only became worse.

Variety quotes Larson's director of digital systems, Chris Unthank, as
saying, "Once I was able to look at our server, my hands started shaking,
and I almost threw up."

SMS Hack Alerts

The Larsons started receiving text messages from The Dark Overlord two days
before Christmas last year asking them to check their email. On Christmas
Day, Unthank found data had been deleted on the server. The same day, the
company contacted the FBI.

The Dark Overlord threatened to release "Orange is the New Black" before
Dec. 31. But it was nearly a month before the group provided evidence that
it had stolen what it had claimed. The group demanded that Larson not speak
of the attack.

The group sends victims "proposals," which are actually extortion letters.
When I chatted with The Dark Overlord representative online last month,
that person contended the group had an "ace legal team" that emphasized
non-disclosure of attacks by its so-called "clients."

"They can expect the highest level of client services and discretion," the
person wrote over an encrypted chat. "We're in this racket to earn vast
amounts of internet money and doing so requires our operations to be in
tip-top shape.

"Our business is built upon principles like discretion and client service,"
the person continued. "When a client enters into a contract with us, we
take them by the hand and guide them to safety. We volunteer to handle all
matters and maintain strict non-disclosure. Many times we all become
friends and laugh about the entire arrangement over some alcoholic
beverages."

Ransom Paid

Although the FBI advised Larson not to pay, it did anyway. Rick Larson
tells Variety that the company felt clients entrusted it to protect their
intellectual property.

It took the Larsons a week and 19 separate transactions to send $50,000
worth of bitcoin to the attackers, a process that was hampered somewhat by
transfer restrictions imposed by Coinbase, a bitcoin exchange, and concerns
by its bank. The Dark Overlord sent an email acknowledging the payment. The
Larsons hoped the problem had gone away.

Instead, The Dark Overlord was trying to expand its pool of victims,
contacting other studios about the stolen content. Larson Studios hadn't
told anyone other than police and the FBI about the incident. The group
also tried to blackmail Netflix directly.

The premier episode for season five of "Orange is the New Black" popped up
on The Pirate Bay, the bittorrent search engine, around April 29. Soon
after, torrents for the remaining nine episodes showed up. It was widely
believed that attack would never result in payment, or at least directly
from Netflix. Wired wrote a story titled: "That Orange is the New Black
Leak Was Never Going to Pay Off."

But actually, it did.

'Don't Trust Hackers'

Paying a ransom, whether for stolen data or for data that's been encrypted
by malware, has proven to be a tough cybercriminal ruse to stop. In the
case of ransomware, some victims have paid only to never see the decryption
key released that unlocks their data.

More clever cybercriminals realize, however, that if you don't follow
through, the scam will cease to be profitable. There has to be a level of
good faith between extorter and victim.

Larson Studios took a financial hit and one to its reputation. Variety
writes that it lost some studios as clients, but most stuck with the
company. It underwent a computer security revamp and now uses encryption,
network segmentation and even keeps the sound files separate from video
files for programs in case one or the other is compromised.

But paying the ransom, in hindsight, was a mistake. Rick Larson tells
Variety: "Don't trust hackers. With the information we had, we made the
best decisions that we could make at the time. Those would not be the
decisions that we would make now."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170623/692c5bb2/attachment.html>