Are you a fan of Netflix’s Orange Is the New Black? The first 10 episodes have been made available by a cybercriminal named “The Dark Overlord” (TDO) on Pirate Bay. It’s impossible to say what this show is worth to Netflix, but season four had an average of 23 million viewers per episode, according to Symphony Advanced Media’s 2016 year-end newsletter. It is fair to say its value is not small. This is theft on a grand scale.
And yet the internet cheered. When TDO tweeted out the Pirate Bay link to download the compressed files, Twitter users began requesting additional intellectual property to steal, even quibbling over which shows were good enough to merit theft.
The breach was first reported by DataBreaches.net, who was later able to determine that its victim was Larson Studios, an audio post-production firm. (Larson was not immediately available for comment.) Its website does show the show as one of its projects at the very top of the page.
A spokesperson shared the following statement from Netflix: “We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.” Larson has not replied to multiple requests for comment.
As we started digging into this story, we saw a note at the bottom of DataBreaches’ post imploring news organizations not to refer to this release of stolen data as “ransomware.” Ransomware is a tool that encrypts data. This was a targeted trespass in which files were stolen.
Yet Bloomberg BNA, The Inquirer and the International Business Times all characterize it as a ransomware attack. Even The New York Times makes the theft sound like ransomware by going into a long aside about the recent spike in the technique. Not everyone muddled the jargon, though. Bleeping Computer, Ars Technica and eWeek all posted edifying accounts, for example.
Here’s DataBreaches version of events. TDO claims to have stolen a number of films and shows from Larson sometime late last year. It demanded 50 Bitcoin by the end of January from the company in exchange for not releasing the material (about $50,000 at the time). DataBreaches reports having seen an agreement to pay, but then apparently that payment didn’t happen. The writer claims to have been in touch with TDO throughout this process, via encrypted chat.
TDO may have waited to dump any IP because it wanted time to pursue payoffs from the owners of the content, such as Netflix. In a tweet on Friday, TDO threatened that it had content from several other organizations. “Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we’re all going to have,” TDO wrote. “We’re not playing any games anymore.”
Note: TDO has fun when she/he/they cease to play games.
So this is a ransom, but it is not ransomware. Ransomware encrypts everything on a device, as CSO Online explained in a related post. It locks it up. All the data typically stays where it is, but the encryption has turned it to gobbledygook. Ransomware is a tool of extortion, but it doesn’t appear to have been the strategy of this particular extortion. Recorded Future has written recently about trends in ransomware to watch.
It’s not known how TDO got into Larson’s system, but what was done once inside is the important part. Because TDO stole the files rather than encrypting them, the cybercriminals were able to threaten the IP owners themselves when Larson didn’t pay. TDO also would not have been able to publish the files if it did not have a copy of the files.
DataBreaches has reported on several extortion attempts by TDO. The site reports that the cybercriminals have previously hit health care organizations, such as an Indiana cancer clinic. These are not nice people.
“I personally think it would be a better move for Netflix not to pay out, but that’s just an opinion based on what I’ve read and not any specialist insight into the situation,” Ciaran McNally, a security consultant at Securit Consulting, wrote the Observer in an email. “I’m guessing that Netflix will do a cost analysis and try work out their potential losses from the leaks against the price the attacker is demanding (again, it’s a gamble).” We previously reported on McNally’s Pornhub bug bounty.
Symantec has advised companies to quit paying cybercriminals.
Every time a company gives in to extortion, that increases the incentive for more cybercriminals to commit more extortion. Every time a company does not give in to extortion, that decreases all other cybercriminals’ valuation on the next attempt. TDO may have made a mistake by hitting so many companies’ content at once. These firms may have felt more secure saying no to because they knew that many of their peers would take a similar hit at the same time.
We’re not the first to point out that a targeted hack and exfiltration of data is not “ransomware,” but it bears repeating. These stories are confusing enough, so journalists need to get the terminology right. For example, note that we didn’t call TDO a “hacker” anywhere above. A lot of hackers are civic minded people who help protect the internet and its users. TDO is a cybercriminal, whether or not she/he/they prefer the term “professional adversary.”
Similarly, sometimes data gets lost not because anyone invaded a system, but because its architects made mistakes. When this happens, it shouldn’t be called a hack, as ZD Net has argued.
A random mugging on the street and a targeted burglary against a specific individual are both robberies, but they are not the same crime. Shotgun ransomware and targeted theft of IP both end in extortion, but they are not the same crime either. As the world gets deeper into an era of new threats, it is important that the public understands the differences, so they understand which threats to protect themselves against.