FBI Cyber Division Bulletin: Cyber Criminal Group Threatens Schools and Students

The following bulletin was obtained from the website of the Department of Education.

Cyber Criminal Group Threatens Schools and Students

Page Count: 3 pages
Date: January 31, 2018
Restriction: TLP Amber
Originating Organization: Federal Bureau of Investigation, Cyber Division
File Type: pdf
File Size: 501,217 bytes
File Hash (SHA-256): 801791D83C360024F9A4F3954FA11801967899205FFA905EACD20DE41E18B528

Download File

Since April 2016, a loosely affiliated group of highly trained hackers calling themselves TheDarkOverlord (TDO) have conducted various extortion schemes with a recent focus on the public school system. TDO used remote access tools to breach school district networks and then proceeded to steal sensitive data. To extort money from its victims, including students, TDO threatened violence or the release of stolen sensitive data.


As of January 2018, TDO was responsible for at least 69 intrusions into schools and other businesses, the attempted sale of over 100 million records containing personally identifiable information (PII), and the release of over 200,000 records including the PII of over 7,000 students due to nonpayment of ransoms.

TDO typically opens communications via e-mail with veiled threats of publicly releasing or selling the victim’s sensitive information. However, in September 2017, TDO escalated its tactics by threatening school shootings through text messages and emails directed at students, staff, and local law enforcement officials. As a result, several schools receiving these threats shut down for one or more days as a safety precaution. TDO then contacted the school districts several days later, demanding payment to prevent the release of student data on the internet.

TDO engages in a pattern of verbal abuse and threats of violence during communication with victims, regardless of the victims’ willingness to pay extortion demands. In a recent incident, TDO threatened to publicize the sensitive behavioral reports and private health information of students. Throughout September and October 2017, TDO was reportedly connected to multiple threats of violence on school campuses, often prior to extortion attempts. These threats caused panic, but provided TDO with no apparent monetary gain.


The FBI does not support paying a ransom to criminals. Paying a ransom does not guarantee an organization will regain access to their data. Paying a ransom emboldens the criminal to target other organizations for profit and provides a lucrative environment for other criminals to become involved. Finally, by paying a ransom, victims are funding illicit activity associated with criminal groups, and potentially terrorist groups, who will continue to target organizations for profit. While the FBI does not support paying a ransom, it is understood executives will evaluate all options to protect their organizations and those they serve. If you have received an extortion demand:

  • Contact law enforcement immediately
  • Retain the original emails with headers
  • If applicable, maintain a timeline of the attack, recording all times and content of the attack.

IT best practices to protect against network intrusions:

  • Change passwords and do not reuse passwords for multiple accounts
  • If possible, use two factor authentication
  • Be careful when providing contact information
  • Beware of social engineering tactics aimed at revealing sensitive information
  • Audit which accounts are utilizing remote access
  • Establish whitelist access for any remote access
  • Consider disabling remote access if not in use
  • Audit logs for all remote connection protocols
  • Audit all user accounts with admin privileges to ensure they are authorized for that role
  • Audit logs to ensure all new accounts were intentionally created
  • Scan for open or listening ports and remediate
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location
  • Backup copies of sensitive data should not be readily accessible from local networks
  • Ensure software or firmware updates are applied as soon as the device manufacturer releases them

Share this: