An entire school district in Flathead Valley, Montana, shut down for three days after hackers, going by the name of "TheDarkOverlord Solutions" targeted several schools with cyberthreats. Local investigators believe the hackers infiltrated the Columbia Falls school district's server and obtained sensitive information of current and past students, parents and staff members including their names, addresses and medical records.
The threat actors then began sending extremely graphic, threatening messages via text and email to students, families and staff members over the weekend. They also sent the school board a ransom note demanding Bitcoin as ransom to avoid releasing the stolen data.
About 30 schools and the Flathead Valley Community College were closed from Thursday (14 September) through Monday.
Flathead County Sheriff Chuck Curry posted the ransom note on Facebook, with some information redacted, saying "it is important to allow our community to understand that the threats were not real, and were simply a tactic used by the cyber extortionists to facilitate their demand for money."
"If you receive a message from us, it means you have been completely and thoroughly attacked and breached by an organised entity of creatures who are only motivated by their love for internet money and are responsible for some of the most serious breaches and security violation incidents in the last year," the hackers wrote.
"We are savage creatures who do not discriminate. We prefer to prey upon the likes of institutions such as your own, but not because we have anything against children, but rather for much more interesting reasons which you will soon come to understand."
The taunting ransom note also included references to the 2012 Sandy Hook Elementary School shooting. The redacted information reportedly contained personal private information of students obtained in the breach. They also offered three payment options: $75,000 in bitcoin, $100,000 in bitcoin if an unnamed person writes an embarrassing five-page essay or $150,000 in bitcoin to be paid in monthly installments over the course of a year.
"If you decide to not entertain us and agree to one of our win-win business propositions, we will escalate our use of force in a tiered process that will involve an ever increasing level of damage and harm for you," the hackers wrote.
However, Curry wrote that officials discovered the hacker group has "frequently failed to live up their promises to not release stolen data in the past, even when their ransom demands have been met." The group, which officials have reportedly identified, are also been investigated in other active probes across the US.
"We fully understand the concern and fear that has resulted from this cyberattack, and want the community to know that all the valley law enforcement agency heads here is no threat to the physical safety of our children," Curry noted. "We will continue to work around the clock to bring those responsible to justice, and remain fully committed to this investigation, even though we now know the physical threat to our children does not exist."
Schools were reopened on Tuesday with heightened police presence and more than 15,000 students returning to classes.
Whitefish Police Chief Bill Dial told NBC the suspect is believed to be of British origin and is currently residing in Europe. He also said the hackers are on an international watch list and cannot enter the US.
"I am 100 percent confident there is no threat. It was all a rouge," Dial said. "I don't want to belabor this point. I want to make sure you people know everything that I know except for a couple of things."
In April, hackers going by the same name — TheDarkOverlord Solutions — targeted Netflix in a high-profile cyberattack, released a number of unaired episodes for the popular show Orange Is The New Black and threatened to release episodes from other series unless they were paid a ransom. The Dark Overlord has also been tied to other cyberattacks targeting ABC, HBO and healthcare facilities in the US.
However, it is still unclear if the same hacker group or someone impersonating them is responsible for the latest incident in Montana.