Hollywood Studio Hit By Cyber Extortion Says: ‘Don’t Trust Hackers’ Larson Studios Paid a $50,000 Ransom. They Were Burned Anyway. Scene from ‘Orange Is the New Black.’
The back story behind the ransom attack that led to the unauthorized early release of the Netflix TV series “Orange is the New Black” is a cautionary tale in dealing with cyber extortionists such as The Dark Overlord.
In an exclusive story, the publication Variety tells the tale of Larson Studios, a Hollywood post-production facility that saw three dozen titles, including the forthcoming season of the dark prison comedy, stolen from its network by The Dark Overlord.
“With the information we had, we made the best decisions that we could make at the time. Those would not be the decisions that we would make now.”
The company’s owners, Jill and Rick Larson, say they transferred $50,000 worth of bitcoin to the attackers in an attempt to prevent the release of stolen content, Variety reports. But The Dark Overlord released the series to file-sharing networks anyway.
The Dark Overlord, which is suspected to be a small group of hackers, gained notoriety in 2016 for its ruthless attacks on small organizations, such as medical clinics. The group contacts the organizations, announces data has been stolen, and demands a ransom payment. If the ransom isn’t paid, the stolen data is often dumped online. In several cases, highly sensitive medical and personal data has been leaked, with victims often unaware of the breaches (see Here’s How a Hacker Extorts a Clinic).
In the latest incident involving The Dark Overlord, data on several celebrities from a California vision clinic was dumped.
Security experts who’ve analyzed some of The Dark Overlord’s attacks say the group typically hits organizations that have made relatively elementary security errors.
I chatted with a purported member of The Dark Overlord last month on instant messaging. The person confirmed for me that he or she had control over a Twitter account (@tdohack3r) that has frequently posted stolen data. Twitter recently suspended the account.
“Some operations are easier than others and require far less effort, mind you,” the member of The Dark Overlord told me.
The Larson Studios hack was no different. Variety reports that the group apparently came across a Window 7 machine belonging to the small company. Microsoft ended mainstream support for Windows 7 in January 2015, but the operating system still receives monthly security patches.
Whether Larson Studios regularly patched the machine is unclear, but it was isolated as the point of intrusion by The Dark Overlord. From there, it only became worse.
Variety quotes Larson’s director of digital systems, Chris Unthank, as saying, “Once I was able to look at our server, my hands started shaking, and I almost threw up.”
SMS Hack Alerts
The Larsons started receiving text messages from The Dark Overlord two days before Christmas last year asking them to check their email. On Christmas Day, Unthank found data had been deleted on the server. The same day, the company contacted the FBI.
The Dark Overlord threatened to release “Orange is the New Black” before Dec. 31. But it was nearly a month before the group provided evidence that it had stolen what it had claimed. The group demanded that Larson not speak of the attack.
The group sends victims “proposals,” which are actually extortion letters. When I chatted with The Dark Overlord representative online last month, that person contended the group had an “ace legal team” that emphasized non-disclosure of attacks by its so-called “clients.”
“They can expect the highest level of client services and discretion,” the person wrote over an encrypted chat. “We’re in this racket to earn vast amounts of internet money and doing so requires our operations to be in tip-top shape.
“Our business is built upon principles like discretion and client service,” the person continued. “When a client enters into a contract with us, we take them by the hand and guide them to safety. We volunteer to handle all matters and maintain strict non-disclosure. Many times we all become friends and laugh about the entire arrangement over some alcoholic beverages.”
Although the FBI advised Larson not to pay, it did anyway. Rick Larson tells Variety that the company felt clients entrusted it to protect their intellectual property.
It took the Larsons a week and 19 separate transactions to send $50,000 worth of bitcoin to the attackers, a process that was hampered somewhat by transfer restrictions imposed by Coinbase, a bitcoin exchange, and concerns by its bank. The Dark Overlord sent an email acknowledging the payment. The Larsons hoped the problem had gone away.
Instead, The Dark Overlord was trying to expand its pool of victims, contacting other studios about the stolen content. Larson Studios hadn’t told anyone other than police and the FBI about the incident. The group also tried to blackmail Netflix directly.
The premier episode for season five of “Orange is the New Black” popped up on The Pirate Bay, the bittorrent search engine, around April 29. Soon after, torrents for the remaining nine episodes showed up. It was widely believed that attack would never result in payment, or at least directly from Netflix. Wired wrote a story titled: “That Orange is the New Black Leak Was Never Going to Pay Off.”
But actually, it did.
‘Don’t Trust Hackers’
Paying a ransom, whether for stolen data or for data that’s been encrypted by malware, has proven to be a tough cybercriminal ruse to stop. In the case of ransomware, some victims have paid only to never see the decryption key released that unlocks their data.
More clever cybercriminals realize, however, that if you don’t follow through, the scam will cease to be profitable. There has to be a level of good faith between extorter and victim.
Larson Studios took a financial hit and one to its reputation. Variety writes that it lost some studios as clients, but most stuck with the company. It underwent a computer security revamp and now uses encryption, network segmentation and even keeps the sound files separate from video files for programs in case one or the other is compromised.
But paying the ransom, in hindsight, was a mistake. Rick Larson tells Variety: “Don’t trust hackers. With the information we had, we made the best decisions that we could make at the time. Those would not be the decisions that we would make now.”