Defending Your Data From the Dark Overlord

Gautham Thomas
FEBRUARY 27, 2018
wannacry,dark overlord hack,dark overlord medical,dark overlord anonymous

The Dark Overlord’s Fingerprints

The person or person behind the Dark Overlord are unknown, but its victims sometimes tend toward the higher profile. They include Hollywood production studios and public school districts—and healthcare institutions, on which the group first cut its teeth. Its targets range in size from a California eye doctor to large clinics and insurers.

Healthcare Analytics News™ attempted to contact several targets but did not receive responses.

The Dark Overlord reached national notoriety in December 2016, when the group broke into the server of a Hollywood postproduction studio and nabbed 10 unreleased episodes of the Netflix series Orange Is the New Black. Hackers demanded $50,000 in Bitcoin for their return. The group’s largest healthcare job, meanwhile, may be its haul of 9.3 million patient records from what it called “a large insurance healthcare organization in the United States.” After the company refused to pay, the Dark Overlord offered the records for sale on a dark web marketplace.

To pressure healthcare hacking victims, the Dark Overlord has promised to embarrass famous patients. After attacking a London-based plastic surgeon, the group threatened to release before and after photos of patients, which allegedly included British royals and celebrities. In November 2016, the group threatened to release the records of college and professional athletes who attended an orthopedic clinic in Atlanta, Georgia.

hacking healthcare,medical hack,dark overlord doctor,healthcare analytics newsThe Dark Overlord’s method of getting payouts for patient data is more personal than that of other cyberattackers. In a ransomware attack, a malicious actor breaks into a network and locks the victim’s data, and then offers a key to unlock it—in exchange for payment. Interaction between attackers and targets can be as brief as transmitting the ransom and, depending on the reliability of the hacker, receiving a decryption code.

Unlike the Dark Overlord’s victims, who seem to be intentional, ransomware targets are often random. In May 2017, the WannaCry ransomware attack affected 200,000 computers across 150 countries, temporarily crippling the United Kingdom’s National Health Service and resulting in an estimated $4 billion in losses. WannaCry was self-propagating, spreading via email as viral malware. The attack probably was not intended to target large institutions, considering the Bitcoin ransom price was about $300, according to experts.

Victims know immediately when they have fallen prey to ransomware. They find their systems locked and unusable, their screens displaying a countdown clock and an address accepting Bitcoin payments. In contrast, the Dark Overlord’s victims may not realize they have been hacked until they receive a taunting email, like this extortion note sent to one school district: “If you receive a message from us, it means you have been completely and thoroughly attacked and breached by an organised entity of creatures who are motivated only by their love for internet money,” the Dark Overlord wrote. “We are savage creatures who do not discriminate. We prefer to prey upon the likes of institutions such as your own, but not because we have anything against children, but rather for much more interesting reasons which you will soon come to understand.”

Hackers then reportedly used the seized data to send threatening text messages to parents and students, forcing the temporary closure of 8 schools.

Ryan Kazanciyan, chief security officer at the cybersecurity firm Tanium, called the Dark Overlord’s extortion attempts “less common than classic ransomware campaign or other forms of extortion, like denial of service attacks.” The Dark Overlord’s direct approach involves more unknown factors. “How do we know [the attacker has] the data? How do they know we’ll comply with demands?” Kazanciyan said. “When you think of the economics of cybercrime, you need consistency.”


How Can Healthcare Defend Its Data?

Healthcare must bolster its defenses against all cyberattacks, including those from the Dark Overlord. The spike in the rate of healthcare hacks, however, might be due not to poor industry standards but, rather, to greater security awareness. “The increased popularity of ransomware has made breaches more visible,” Kazanciyan said. “Stealing and selling data on the black market can sometimes be silent.”

Krush echoed Kazanciyan’s conclusions: “Until fairly recently, most healthcare organizations didn’t even know if they experienced a breach. They weren’t investing in security and had no response capability.” Now, institutions know when they have been hit.

Healthcare must first focus its everyday efforts on solving the problem, according to Banash—and he should know. “We get attacked on a daily basis,” he said. “Our network is being probed a dozen times or more a day by people doing reconnaissance.” Aging, unsecured medical devices offer hackers a particularly dangerous window through which they can jump to other locations on the same network. Those devices can also, if locked with a ransomware attack, be crippled and unavailable for patient treatment, which happened to the British National Health Service during the WannaCry attack. Hospitals must focus on protecting these high-cost, heavy-duty devices, experts said.

bitcoin hack,ransomware healthcare,doctor ransomware,hca newsIn this age of consolidation, healthcare organizations may also benefit from inspecting their systems before linking arms. “One company can inherit malware and existing breaches from the other,” Kazanciyan said. “In other cases, you’re taking 2 mismanaged, insecure environments and combining them, creating something that’s even more insecure than the sum of its parts.”

The first step to strengthen cybersecurity? “An accurate and up-to-date inventory,” according to Kazanciyan. Tech specialists must maintain computing devices, operating systems, and software, keeping them updated and patched. Both the Dark Overlord and WannaCry attacks took advantage of vulnerabilities in older operating systems that their owners had not updated or addressed.

But before anything, healthcare groups must realign their budgets to support their cyber defenses. “The mind-set has been [that] every dollar put into security is being taken away from patient care, but there is a line where underinvesting in security can have a real effect on patient care,” Kazanciyan said. “Security isn’t just to check a HIPAA compliance box; it’s also to prevent catastrophic effects on patient care.”


The Cybersecurity Takeaway

Although the Dark Overlord's targets tend to be small practices, large organizations face the same threat and corresponding challenges, experts say. The hacking group typically exploits long-standing vulnerabilities in old systems, and more of these may exist in a bigger institution.

“Ten times the number of computers means hundreds of times the levels of risk,” Kazanciyan said. “It’s basic system management: knowing what computers are on the network, what software they’re running, how they’re allowed to communicate with each other. With large healthcare orgs, that doesn’t necessarily go away.”

And the danger posed by the Dark Overlord and any number of similar hackers is not going away, either.

SHARE THIS SHARE THIS
0
Become a contributor