In late June 2016, we observed a spate of attacks allegedly conducted by a vendor named “thedarkoverlord” on the dark web marketplace the Real Deal.  This vendor has added multiple listings for information claimed to be stolen from U.S. healthcare organizations. These listings were characterized by the focus on US healthcare organizations, the unusually high price asked for the data, and the claim that only one copy of each dataset would be sold. In addition to attempting to sell this data online, this actor has attempted to extort the purportedly breached by threatening to release the data online if a ransom is not paid and posting excerpts of data to Pastebin. We have detected several posts on Pastebin over the last week from this actor. This approach of using multiple tactics to attempt to monetize successful intrusions has also been observed in recent ransomware campaigns.

Activity

The timeline below lays out all this actor’s currently known activity, including when they have added new listings to the Real Deal and their interactions with the media and the public.

Darkoverlord timeline 2016

Fig 1 – A timeline of thedarkoverlord’s significant activity

Motivations and ethos

Although thedarkoverlord has listed seven datasets for sale so far, the actor’s Real Deal profile shows only one sale and it was not possible to determine whether this was a genuine sale or thedarkoverlord using a second account to bolster their credibility. This suggests a lack of success, although it could not be confirmed that the actor has not successfully sold data via another medium. If true, this would likely be attributed to the high price of the datasets and the actor’s lack of an established reputation – criminal actors are likely to be wary of paying large sums of money to an actor lacking a reliable reputation. This actor’s motivation for placing increased emphasis on the extortion angle was likely a reaction to their failure to monetize the data by selling it. This shift in tactics has two possible benefits:

  1. It enables the actor to potentially profit twice from each data set by first extorting the victim and then selling it online
  2. It results in increased publicity and reporting on the validity of the datasets, which is likely to increase trust in the actor and increase the likelihood of a sale.

Although selling breached data is nothing new, this actor appears to have decided to specialize in targeting US healthcare organizations and obtaining personal health information (PHI) and data of use to actors with a specific interest in this sector, such as the HL7 software source code offered for sale on 12 July. Although their reasons for doing so were unknown at the time of writing, the high value of PHI and the generally low information security standards in the healthcare sector were likely contributing factors.

Assessment and outlook

Although this actor has claimed to possess large volumes of sensitive data, only small sections of the data have been verified as genuine by third-parties and at the time of writing, we continued to assess a realistic possibility that some or all of this actor’s claims were false. The actor’s lack of an established reputation, and the fact that they elected to sell their purportedly high value datasets on the Real Deal rather than on a closed forum, were assessed to point to the actor being relatively unestablished, as did the use of Twitter and media interviews to garner publicity. However, this actor has demonstrated the intent to continue listing purportedly stolen PHI for extort affected organizations and has likely been encouraged by their success in so quickly establishing a public reputation. We therefore expect to thedarkoverlord continue to attempt to garner publicity, perhaps adapting tactics further to improve chances of success.