Cyber Incident Victim: Caribbean Island Properties
Date:
Dec 2018
Location:
Cayman Islands
Summary
TheDarkOverlord breached Caribbean Island Properties by exploiting weak administrative credentials, leading to complete data deletion after the firm attempted to disrupt the exfiltration. The attackers demanded a 100,000 GBP Bitcoin ransom, structured as an initial 30,000 GBP payment followed by monthly installments, threatening permanent data loss unless paid. TDO's communication mirrored previous tactics, though uncertainties about the group's continuity persisted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around December 4, 2018, threat actors identifying themselves as TheDarkOverlord (TDO) publicly claimed responsibility for a cyberattack targeting Caribbean Island Properties, a real estate firm operating in the Caribbean. TDO asserted they had compromised the company’s entire infrastructure by exploiting weak administrative credentials, specifically citing the domain admin password "CiP@12345" and an email account password "12345." After gaining access, the attackers established a persistent presence, exfiltrating data over an unspecified period. The victim organization detected and deleted some files associated with TDO’s exfiltration activities, prompting retaliatory action from the threat actors. TDO responded by wiping all files from Caribbean Island Properties’ systems, claiming the victim could not recover the deleted data while asserting they had retained copies. The attack resulted in complete operational disruption for the victim, with TDO becoming the sole holder of the organization’s data.
TDO issued a ransom demand through a detailed communication addressed to "Cindy and David," offering Caribbean Island Properties three payment options to recover their data. The primary option required a total payment of 100,000 GBP in Bitcoin (BTC), structured as a 30,000 GBP (30%) down payment by December 25, 2018, followed by twelve monthly installments of approximately 5,833 GBP. TDO framed the extended payment plan as a mutual assurance mechanism, claiming it would incentivize them to honor the agreement. The group posted both their extortion letter and a formal contract on Pastebin, replicating negotiation tactics and contractual language used in previous TDO operations dating back to at least 2016. While some security analysts questioned whether this activity represented the original TDO group or copycats due to similarities to past incidents, contextual evidence including writing style, operational patterns, and historical consistency supported assessments that the perpetrators were likely authentic TDO affiliates. The incident highlighted ongoing concerns about credential security vulnerabilities enabling high-impact ransomware and data destruction attacks against small-to-medium enterprises.