Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development , Ransomware

Disney Is the Latest Cyber Extortion Victim

Hacker Pirates Threaten to Pirate a Movie about Pirates
Disney Is the Latest Cyber Extortion Victim
Paul McCartney appears as a pirate gambler in the fifth Pirates of the Caribbean film, now being held for ransom by hackers. (Photo: Disney)

The response of anyone whose data is being held for ransom by attackers might best be summed up via words sung by Paul McCartney: "I wanna cry, cry, cry."

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

Beginning Friday, that's been the scenario facing multiple victims of the WannaCry ransomware, which has reportedly infected more than 200,000 endpoints in over 150 countries.

To the list of the world's shakedown victims, now add Disney, which the Guardian reports is being targeted by extortionists. Their demand: Give us bitcoins, or we'll cut up the forthcoming "Pirates of the Caribbean: Dead Men Tell No Tales" into pieces and begin posting it online.

Despite the poetic symmetry of online pirates threatening to pirate the fifth installment of a movie about pirates - and in which Paul McCartney makes an appearance as a pirate - Disney's plight is a reminder that any organization remains at risk from shakedown artists (see Ransomware: Your Money or Your Life).

To be clear, it doesn't appear that Disney's movie was stolen via WannaCry or any other type of ransomware. Instead, it's much more likely that the movie studio or a business partner got hacked.

Cyber extortion comes in many flavors, including: using crypto-locking ransomware such as WannaCry that encrypts devices and demands a cryptocurrency payment to unlock it; threatening to dox firms by releasing sensitive data that's been stolen; or threatening to launch distributed denial-of-service attacks against an organization unless it pays up.

Anyone WannaPay?

Such attacks beg this question: Should you pay?

The answer - pending any legal advice to the contrary - is that while it's never a good idea to trust either threats or promises made by criminals, in an ideal world, no one would ever pay any ransom.

In recent days, many have also called on WannaCry victims to not give in to attackers.

"Do not pay!" Britain's National Crime Agency said via Twitter, in response to the question of whether victims should ever pay.

Making the Right Choice

At the end of the day, however, law enforcement agencies in many jurisdictions say the choice is up to victims. The FBI, for example, has previously said that "the FBI does not condone payment of ransom" because it helps enable criminals to victimize others. But it says the choice is ultimately the victim's to make.

Just to be clear, I asked the NCA if, legally speaking in Britain, the choice of whether to pay was the ransomware victim's to make, and, legally speaking, if there is anything to prevent someone from paying.

"You are correct, I'm not aware of anything in law," an NCA spokesman tells me. "Obviously our guidance remains not to pay as you're unlikely to get your files back even if you do."

While no one wants to fund cybercrime, some hospitals, for example, have paid attackers to unlock their records, in the name of patient care and safety. Some are also reportedly stockpiling bitcoins so they can make rapid payments, if required (see Ransomware Extortion: A Question of Time).

If I was a patient requiring critical treatment, I'd probably back such moves. Of course, I'd have also wished that the organization in question had the right backup and recovery processes in place so that they wouldn't have to even consider paying attackers. Instead, they could just wipe and restore systems and move on.

Disney, to its credit, has said that it won't surrender even a fraction of a bitcoin to its attackers.

Never-Ending Sequels

The Disney shakedown is just one of a number of extortion attempts against the industry, with other attempts having reportedly targeted such Hollywood agencies as ICM, UTA and WME, the Guardian reports.

Last month, the new season of Netflix's hit series "Orange is the New Black" was being held for ransom by a hacker called The Dark Overlord. Netflix said the episodes had been stolen via a hack of a production studio "used by several major TV studios." The Dark Overlord claimed via Twitter to have asked Netflix for a "modest" ransom payment, and after it refused, the hacker began posting the files online.

Of course, that followed the infamous 2014 Sony Pictures Entertainment hack. The studio was hit with a devastating wiper malware attack - erasing many of its systems - and doxing campaign, featuring the release of multiple, embarrassing emails. Digital copies of multiple films were also posted online prior to their official release date.

Sony's attackers, who called themselves "G.O.P.," claimed the attacks were in reprisal for the studio's comedy film "The Interview," and its plot centering on an attempted assassination of North Korean leader Kim Jong-un. The G.O.P. attackers said they would continue doxing the studio until it called off the release of the film. Sony declined to do so.

'North Korea Actors'

At first, attackers' focus on the comedy appeared to be a smokescreen, perhaps for an ex-Sony employee with a grudge. But the FBI later tied the 2014 attack to "North Korea actors."

Security experts' collective name for the hackers behind that - and other - attacks is the Lazarus group. At least so far, however, there's no indication that any such actors are involved in the Disney shakedown.

But North Korea may be a repeat cyber extortion shakedown offender. As my colleague Jeremy Kirk reported, code used in a February 2015 Lazarus attack apparently was reused two years later in WannaCry cryptor software seen in February (see Is WannaCry the First Nation-State Ransomware?).

That might be a false flag to make it look like North Korea ordered the attacks. But with tensions between Pyongyang and the White House on the rise, it could also be North Korea attempting to throw a little chaos into the geopolitical mix.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.