Hackers holds entire school district to ransom

An entire US school district in Flathead Valley, Montana, shut down for three days after hackers going by the name of “TheDarkOverlord Solutions” targeted several schools, sending death threats to parents and promising to release students’, teachers’ and school administrators’ personal information unless a ransom was paid.

It amounted to disruption of more than 30 schools across the valley, including cancellation of weekend activities and events through the weekend. Classes resumed on Tuesday under heightened security.

Flathead County Sheriff Chuck Curry posted the ransom note on Facebook (with some information redacted), along with a written statement, to alleviate concerns about the physical safety of those in the school community.

The Dark Overlord, or the more ironically titled The Dark Overlord Solutions (if you can stomach the endless ransom letter, which goes on for page after self-congratulatory, self-amusing page, you’ll notice that the group relishes its irony), is a known group.

The Dark Overlord has gone after healthcare organizations.

The group is also responsible for extorting Netflix, though the company refused to pay.

Remember the group that wanted to spoil the release of Season 5 of Orange Is the New Black, back in May? Same group; at least, the group involved in this school attack is going by the same name, and it claimed to be responsible for the Netflix attack in its ransom note.

In spite of having received 50 Bitcoin (worth about $50,000 at the time) from an audio post-production studio in Hollywood, The Dark Overlord went right ahead and released the show anyway.

The Dark Overlord spent a week making graphic death threats against children in Flathead County. The threats include the ransom letter’s horrific allusions to Sandy Hook, scene of the mass shooting murders of 20 elementary school children and six adult staff members. In spite of such threats, Sheriff Curry reassured residents that the group isn’t as murderous as it is full of hot air:

We have made the unusual decision to release the ransom demand letter. We feel this is important to allow our community to understand that the threats were not real, and were simply a tactic used by the cyber extortionists to facilitate their demand for money.

We have also discovered that they have frequently failed to live up to their promises to not release the stolen data in the past, even when their ransom demands have been met.

We fully understand the concern and fear that has resulted from this cyber-attack, and want the community to know that all the valley law enforcement agency heads feel there is no threat to the physical safety of our children.

Sheriff Curry said that the group is already under multiple investigations elsewhere in the US but that it’s located outside of the country.

The hacking group managed to infiltrate the Columbia Falls school district server in order to steal personal information that included addresses, medical records, behavioral records and more for past and present students, staff and parents. More than 15,000 students were affected by the school closures, which included cancellation of away games.

This isn’t just your run-of-the-mill ransomware. If the extortion is in fact coming from the well-known hacking group, it’s the first time they’ve added death threats to the mix.

A local newspaper, the Flathead Beacon, quoted Zuly Gonzalez, co-founder and CEO of Maryland-based cyber security firm Light Point Security, who’s familiar with The Dark Overlord’s modus operandi:

I’ve never heard of them actually threatening anybody’s lives, especially children… Usually these groups aren’t really designed to do that type of stuff.

The Dark Overlord is, as far as law enforcement can determine, overseas. They’re not close enough to carry out physical harm. Hopefully, that will lessen the fear that parents must have felt when they received threats against their children’s lives.

Sophos Home

Stop ransomware with our free personal security software

Learn More

Gonzalez thinks it likely that the targeting of Flathead schools was random. These groups go after the low-hanging fruit, she says, which means networks that didn’t have proper protection in place to guard against malware, for example.

Defensive measures: ransomware

As ransomware attacks continue, it’s clear that there’s far more that we have to do to protect data than to buy up digital currency and plan to pay ransom to crooks – and yes, there are many organizations that are doing just that.

The problem is that paying ransom a) doesn’t ensure that the extortionists will actually release your data – consider The Dark Overlord as a prime example – and/or b) doesn’t ensure that the crooks won’t come back looking for more money in the future, and/or c) invites future attack.

To protect your organization from ransomware, we handed out some defensive measures against malicious attachments when we covered the recent resurgence in Locky ransomware.

Of course, the best defense against ransomware is not to get infected in the first place. To that end, we’ve published a guide titled How to stay protected against ransomware that we think you’ll find useful:

You can also listen to our Techknow podcast Dealing with Ransomware:


(Audio player above not working? Listen on Soundcloud or access via iTunes.)