In recent months, we’ve seen the return of threat actors calling themselves TheDarkOverlord (TDO), although some sources have speculated that arrests announced in May may have damaged the group. As some journalists and others have noted in conversations, certainly this incarnation of TDO does not seem to know of some events or statements they’ve made in the past and most of their offerings have been old hacks and data breaches. So is it the same TDO with just a new spokesperson, or is this a different TDO?
If today’s development is any indicator, TDO is still standing, and whoever is posting as TDO appears to be the real thing.
Consider what they have claimed to have done to a firm called Caribbean Island Properties.
In a fairly typical long and insulting communication, TDO claims to have wiped out all their files, a data protection disaster enabled by what TDO notes appears to be incredibly sloppy passwords:
We actually did it, although they got in your e-mail because your password was ‘12345’. We pwned your entire infrastructure. Your Domain Admin password was ‘CiP@12345’. Now, let’s just start with what we know: you found our Support user that was exfiltrating loads of your data, and you deleted the files we were stealing from you. We weren’t going to delete all your files originally, but since you’ve deleted ours, we deleted all of yours. Now, mind you: we were able to recover ours, but you won’t be able to recover yours. So now we’re the only ones with copies of your files. Right, onto the goods.
The above would be enough to make most site owners or administrators thoroughly nauseous and alarmed.
The firm was then offered various options for payment to recover their data, with the first option being:
You, our client, accord and satisfy a complete transfer of 100.000 GBP of Bitcoins (BTC) over a twelve calendar month period of time with your first transfer to be a thirty percent down-payment transfer of 30.000 GBP of BTC to be made by the date and time of 2018-12-25 23:59 UTC. Follow-up transfers of approximately 5.833 GBP of BTC will be made by the end of each calendar month for the next twelve months, in order to accord and satisfy this proposed option. A primary benefit of this arrangement is that you know we want the Bitcoins and we’ll not be motivated to go ill on our arrangement because we’ll be motivated to hold out. While we’re providing you a guarantee we won’t go ill on our word, we realise this option may appear attractive due to your prejudice against us believing we’re cyber-baddies.
The entire missive to “Cindy and David” appears at the bottom of this post, as does a copy of the contract that TDO posted on Pastebin.
Long-time followers of TDO will recognize much of the concept and the text, as those options and approach have been used before by TDO.
As someone who has followed their work since June 2016, and who had read the Larson documents and contract, as well as their communications to other victims, yes, this is the writing of TheDarkOverlord. But is it someone just copying/pasting their past work? A lot of what I read today could have been just changing the names of the victims and dates, so are we looking at new writing or a template from the past?
My impression is that this is still TDO and not copycats. If you think otherwise, you are welcome to use the Comments section below to explain why you think so.
And yes, I know that some journalists have opted not to report on TDO so that they (other journalists) are not somehow complicit in putting any pressure on TDO’s victims to pay up. This site continues to try to balance that concern with a strong sense that the public needs to be kept informed about threat actors so that more businesses and entities will take steps to protect themselves from attacks.
In the meantime, CIPcaribbean.com did not respond immediately to an email asking them for a comment about the claimed hack and what steps they are taking, but a check on the BTC wallet specified in the contract, 152r8afrWfq7xxGFTpsBgyHChPP8fmHfpz, shows no transactions as yet.
This post may be updated as more information becomes available. And this is not the only newly revealed hack by TDO today. DataBreaches.net received an email from another firm claiming that TDO had hacked them. This site may have more on that one later today.
About Us - Caribbean Island Properties uhmBuqij_CIP
Yeah, the way that’s written, that’s got to be the same front man at least.