Threat Watch

Thedarkoverlord Returning to Old Optempo

Thedarkoverlord appears to be returning to their old activities after a roughly six-month long hiatus. Two new data breaches attributed to the criminal group Thedarkoverlord were discovered yesterday.  The first targeted organization was a real estate firm called “Caribbean Island Properties.”  Thedarkoverlord claims to have gained access to the organization’s systems through a user account which used a weak password–supposedly “12345.”  The group then claimed to have targeted the domain admin account which they claimed used the password “CiP@12345.”  In their statement, they indicated that they were also operating an account that they created through the domain admin account called “Support” which they then utilized to exfiltrate large amounts of data from the firm’s systems.  The group then deleted files from the company’s servers and have offered to return the information to them if they transfer 100,000 GBP in Bitcoin (approximately 33.27 BTC or $127,000 USD) over a one-year period. They also required a 30,000 GBP down payment in Bitcoin (9.98 BTC or $38,000 USD) to be made before Christmas and then follow-up transfers of 5.833 Bitcoin every month after that.  The second target was the California-based company Prime Staff Inc., an outsourced personnel and administrative services organization.  Thedarkoverlord made a similar request of Prime Staff requesting $50,000 USD (13.07 BTC) over a one-year period, $25,000 (6.54 BTC) if paid before Christmas day, or a third option of $37,500 (9.82 BTC) over a one-year period if they would vouch for the ethics and reliability of Thedarkoverlord to their future “clients,” which is what Thedarkoverlord calls their victims.

ANALYST NOTES

Both of these instances represent a very smart and significant change to ransom attacks which could possibly significantly increase the success of Thedarkoverlord’s operations. The offer of payment plans is a much easier bill for many companies to consider in order to get their data returned to them. This, partnered with offering discounts for early payments and having other “clients” vouch for Thedarkoverlord keeping to their word, could possibly improve the income seen from their operations. The targeting of a U.S. staff management firm which was offered a discount for vouching for them is an indication that the group will probably begin to target more organizations based within the United States and possibly those which are known to be clients of Prime Staff Inc.