A cyber gang calling itself The Dark Overlord Solution late last week sent an unusually threatening ransom note to the Columbia Falls (Montana) school district forcing officials to shutter its schools to ensure the safety of the students.
The long, rambling and condescending email from The Dark Overlord Solution, the same group likely responsible for the Netflix and Disney hacks with the addition of the word “solution” to the name, to the district stated that the group has fully compromised the school's network hinting that it knows intimate details about students, their parents and staff and contains references to the school shooting tragedy at Sandy Hook Elementary, misspelling the school Sidney Hook. As a precautionary measure the district's schools, along with Flathead Valley Community College, were closed for three days reopening on July 19 affecting about 15,000 students.
“We know who you are Columbia Falls. We know everything about your operation. We know everything about your schools, and the children in them. Your nursery children, your primary children, and your secondary children. We know who the problem children are, who the honour performing children are, and even who many of the parents are. We have educated ourselves and made ourselves aware of your entire lives,” The Dark Overlord Solutions wrote.
Unlike most communications associated with a cyberattack or ransomware situation, this letter was issued but the district's computer network was allowed to continue operating instead of being locked up or having he files encrypted. Instead the gang included in the note some student information, which was redacted by the school and local police before being made public, that was purportedly pulled from the school's computer system as evidence that The Dark Overlord Solution had hacked the system. Something quite normal for this type of cybercriminal James Carder, LogRhythm's CISO, told SC Media, as they need to prove to the victim that they have indeed hacked their system.
The gang only alludes to physically injuring anyone, but it does say it will release what it believes to be embarrassing information about the students and district to the public if its demands are not met.
Carder said that despite the change in tactics reflected in the harsh ransom note he does believe The Dark Overlord is responsible.
“The ransom letter TDO used did deviate from what you would normally see with general ransomware. This isn't, however, unique for hacking collectives (real people behind keyboards). It reminds me of the letters and messages that Anonymous and Lulzsec used to send during their heyday,” he said.
The group is demanding $150,000 be paid in bitcoin, going so far as to allow Columbia Falls to use an installment plan spreading the payments out over one year.
Flathead County Sheriff Chuck Curry posted the email on his department's Facebook page saying the he does not believe the students are in any physical danger.
“The group who have identified themselves in this letter have been identified, and are the subject of active investigations elsewhere in our country. They are located outside of the United States. We have also discovered that they have frequently failed to live up to their promises to not release the stolen data in the past, even when their ransom demands have been met,” Curry wrote.
The FBI is also involved in the investigation, but an agency spokesperson told SC Media, "The FBI has resources devoted to this investigation and because it's ongoing, I'm unable to provide any more details at this time."
Carder backed this up saying the release of student information and contacting parents is par for the course with The Dark Overlord and similar groups as it “raises the stakes” and scares the victim into paying.
The reason the Columbia Falls was chosen had less to do with what type of organization it is, a school, as opposed to the fact it was an easy target.
“TDO scans the internet looking for easily exploitable vulnerabilities, leverages those to gain access to networks, steals data before victims even realize they've been compromised, and then tries to extort them for profit. Although school districts probably have less money to extort than a massive media conglomerate, they're much easier to compromise as they generally don't invest in cybersecurity protections or practice good IT hygiene,” Carder said.