How a Hacker Is Gaming the Media to Extort His Victims
The hacker behind a recent slew of healthcare organisation breaches is deliberately using the media to intimidate his victims.
Over the past few days, millions of health care organisation records have been listed on the dark web. But rather than simply selling the data at a low price for a quick payday, this hacker is advertising it to extort the unnamed companies into paying money to protect their patients' details.
"The Dark Overlord" is taking full advantage of a weapon that many other cybercriminals overlook; one that he hopes will make him more threatening, and ultimately help in getting targets to cough up ransom demands: the media. By courting press attention, he puts pressure on organisations to pay up.
"There has always been a specific method and plan," the hacker told Motherboard in an encrypted chat, referring to his publication strategy.
"Every time I put a new listing up it gets reported without hesitation now."
The Dark Overlord wouldn't explicitly spell out this process, but it goes something like this: First, he posts a database; then, he gives samples of the data to reporters, who go out and verify them. These articles, and the subsequent reblogging of them by other outlets, convinces companies that the hacker is a legitimate threat. These steps repeat over and over, building up the hacker's reputation as someone to be taken seriously.
I pitched this to the Dark Overlord. "Something like that," he said. He claimed that the media attention has already encouraged a few organisations to pay up.
The Dark Overlord doesn't list the databases on the dark web straight away. At first, he might extort targets in private, threatening to sell or release their data if they don't pay the ransom. Typically, the hacker said, those initial phone calls or emails get ignored.
"It is never, 'Hey, okay you got us, where do we pay?'" he joked.
If the company doesn't comply, he proceeds to the next stage and lists company data for sale without naming the organisation.
"The databases that you see listed are ones from victims [who] have either declined to pay or whose deadlines are coming up and need a little pressure put on them," the Dark Overlord said.
So far, the hacker has put up five databases: 48,000 records from a healthcare organisation in Farmington, Missouri; hundreds of thousands from Atlanta, Georgia, and the Central/Midwest US; 9 million apparent patient insurance details; and, on Tuesday, information on 34,000 supposed New York healthcare patients.
But just listing the data might not be enough to secure a ransom payment, and that's where the media comes in, which is able to quickly, dramatically, and inadvertently squeeze the target organizations tighter.
"I have a reputation with this handle now. Another step accomplished," the Dark Overlord added. "Every time I put a new listing up it gets reported without hesitation now."
Hackers using the media to their own ends is not new. Anonymous has distributed attention-grabbing and ready-to-publish imagery or press releases that were easy for journalists to quickly report on. Impact Team, the hackers behind the Ashley Madison breach, sent a link of the data to at least one well-known security journalist.
But this latest campaign sticks out in its systematic and very deliberate approach. The Dark Overlord knows how to game the media, and reporters are playing along.