thedarkoverlord experiments with its approach to amassing BTC

I’ve probably reported more on the blackhats known as thedarkoverlord (TDO) than other journalists, and I’ve probably spent more time chatting with them about their work than any other journalist. But despite my considerable investment of time, there are times when I simply do not understand why they are doing what they are doing. As someone who has had decades of professional experience predicting and understanding behavior, I find that when their strategy makes absolutely no sense to me, either their neurology has led them down an unusual path, or I’m failing to appreciate some brilliance on their part.

It might be either. Or both.

So let me use this post to lay out what I’ve observed about TDO’s approach to amassing vast amounts of internet money (as they call it), and how it has been evolving over the past few years.

In the Beginning

When TDO first burst on the scene in June, 2016, it was after they had listed three patient databases with hundreds of thousands of records for sale on The Real Deal marketplace, asking exorbitant amounts of money for them.

It soon became clear that the sale of the patient databases was simply a way to put pressure on their victims, who they had been attempting to extort. By placing such a high price on the data, they got media attention, and with the media attention and reporting, more pressure on their victims.

But did that increased pressure convert to increased payment by the medical clinics? It didn’t appear to. Their early extortion demands, which I was privy to by virtue of having been shown many of their nonpublic email chains with their victims, did not appear immensely successful. From reading their communications, it was clear to me that TDO had done their homework: they had researched their victims and knew the names of the executives and staff, and they had even researched their victims’ families. They had also looked at patient databases closely enough to spot patient names that might belong to celebrities or famous sports figures. [Note: I am referring to TDO as “they” because it appears to be have been than one person over time and even during the same time period.]

So TDO did not appear to be particularly successful in their early attempts to extort the medical sector, even though they appeared to be doing more work researching their victims than the threat actors known as Rex Mundi had done, and even though they were tweeting claims that they had been successful. More than one year later, I would learn that TDO was, indeed, doing better financially than I had imagined, as they showed me some of their wallets from 2016 and signed messages to me from the wallets.

But back in the summer of 2016, TDO was not happy, to say the least. I cannot get into any details, but it almost appeared to be an obsessive battle of wills — that the victims HAD to pay or TDO would make them suffer.

As brilliant intellectually as TDO seemed to be (and yes, I do think the person I was dealing with is intellectually gifted), TDO didn’t seem to really grasp how to get people to do what they wanted them to do. Doctors really do care about trying to protect patient data. Threats or reminders of the consequences of breaches aren’t really necessary or even helpful. TDO’s strategy was to increase the pressure on victims by a parade of horribles, but the victims didn’t need the parade of horribles or more motivation. As psychologist Ross Greene has famously said, “Motivation makes the possible more possible. It does not make the impossible possible.” TDO’s victims were already motivated to protect patient data, but TDO did not seem to fully recognize what was needed or helpful to convert that motivation to payment. And they couldn’t always seem to recognize situations in which they were just never going to get paid – even when doctors told them to go “F…” themselves.

So there was TDO in 2016, setting ridiculously high amounts for extortion payments or for sale of databases. They didn’t care about the patients or what would happen to the patients. They cared only about getting money. Nothing else. And they didn’t seem to fully appreciate how to negotiate with healthcare professionals about protected health information. Perhaps they thought that they figured it out the following year when they began offering victims contracts that included three different payment options, but even that missed the boat.

But let me digress for one minute, because to this day, people still don’t seem to understand one thing about TDO that TDO has always been extremely clear about and consistent about: they do not care about the human emotions or anguish people might feel. They only care about how to exploit human emotions if it gets them more money.

From my perspective, one of the strangest – and most instructive – breaches of theirs was the  Little Red Door Cancer Services of East Central Indiana hack. To this day, I’m still not totally confident that I understand what happened there because the center’s statements and TDO’s statements about “ransomware” and servers being wiped were quite different, but what really puzzled me was that they attacked a little not-for-profit. Why? This NFP had almost no money at all. Why not go after a victim that has the means to pay more? I understood that they didn’t care about the humanitarian effort, cancer, etc. But if they cared about money, why waste time on this little NFP?

So that particular attack made no sense to me, and I don’t like it when things don’t make sense. By the end of 2017, though, they had also attacked a number of school districts, again leaving me wondering … why? Why attack a public school district that almost certainly will not have a lot of resources or a hefty cyberinsurance policy? Why not just go after the real commercially viable firms that are raking in tons of money? Was this really just about getting internet money or was some part of it also the challenge of seeing if they could get their victims to pay them something – anything – just to feel that they have “won” somehow or bested their adversary?

And why continue to use a hack and extort approach instead of just deploying ransomware which might produce faster results?

What was TDO thinking about these questions, and why? I wish I could have gotten them or even still get them to explain their rationale to me, but alas, they have always declined to discuss these things.

Since 2016, TDO has been attacking victims from all sectors, and attempting to extort them all, although sometimes, they don’t get around to attempting extortion until months or a year after they have hacked and exfiltrated data. And at times, they seem to be attempting to extort the wrong entity, as I recently noted in discussing their erroneous claims about National Life Group, although they might try to argue that a deep pockets entity is the right entity to extort even if it wasn’t their servers that were attacked. And if that really is their intention – and not just a coverup for attempting to extort the wrong entity – then that, too, is a change in their methods to note. But what could your firm do with the knowledge that TDO might attempt to extort your firm even if you weren’t the entity they hacked? Are there situations in which non-hacked entities might agree to pay?

NOW What Are They Doing?!

With their recent return to public visibility to try to make money from 9/11 files via both extortion and crowdfunding, TDO seems to be experimenting yet again. Perhaps starting with a page from the Shadow Brokers, TDO may have come up with a winning strategy: demand payment from your victims to return or delete data so that it never sees the light of day, while at the same time asking the public to crowdfund payment to you so that you will make the files public. They can get paid either way.

This strategy really may be a game-changer in terms of extortion attempts going forward if the data or files are sufficiently of interest to the public. In this case, TDO has already tested the water by mentioning that they have files on UFOs. Well, how can that not be a winner, right?

And in a second test of the “pay us not to release the data” and “pay us to show you the data,” TDO is also currently putting pressure on victims of the London Bridge Plastic Surgery hack disclosed in 2017, but now they are attempting to extort the patients themselves. [Note: decided not to report on that hack at the time because the data were unusually sensitive, including pictures of genitalia and identifiable patient data and psychological reports.] Having failed to obtain the payment they sought from the surgery itself in 2017, TDO now appears to be trying to extort the patients directly. That, experiment, too, may lead to more extortion of individuals down the road if the London Bridge Plastic Surgery patients pay their demands. And if the patients don’t pay up, well the public may pay to see nude celebrities. Either way, TDO would get some money.

The London Bridge Plastic Surgery-related extortion also highlights another aspect of TDO’s methods: they don’t just extort and pack it in. They go back to the victims and try and try again, even more than one year later. So maybe victims who breathe a sigh of relief when TDO stops contacting them shouldn’t feel relieved. They may come back and try again, or they may reach out to your patients or clients at a later date.

Of concern, while all this is going on right now — while TDO is trying to make money from the 9/11 files they claim they have while at the same time trying to extort National Life Group, patients of London Bridge Plastic Surgery, and likely Advantage Life, and FRS — there are still many more other hacking victims of theirs who are in the process of being extorted or who will receive extortion demands at some point.

And what TDO learns now from its newest experiments may impact what happens to all of their other hacking victims that haven’t been disclosed yet. Some of them are likely small medical practices. Some are public schools. And there’s no point in asking TDO to show them any mercy because they just don’t care. The blackhats that revel in being called cyber-enabled terrorists are still developing their approach and their image doesn’t include being compassionate. It only includes being profitable.

So those of you who have been cheering TDO on for leaking the 9/11 files or because you want the UFO files or to see nude celebrities, remember that you cheered them on when they threaten to expose really sensitive information about you or your family.

About the author: Dissent