Cyber Incident Victim: Prime Staff Inc.
Date:
Dec 2018
Location:
United States of America
Summary
A California-based professional employer organization experienced a significant cybersecurity breach where threat actors known as TheDarkOverlord compromised its systems, gaining full control over the domain and mail servers. The attackers exfiltrated thousands of employee personnel files, wiped critical data from servers using unrecoverable methods, and issued a ransom demand with three payment options ranging from $25,000 to $50,000 in exchange for data destruction and silence. The group threatened to sell the stolen information on illicit platforms if their demands were unmet, emphasizing the victim's inability to recover the lost data independently. Communication from the attackers indicated they had already deleted portions of data as retaliation for delayed responses, further crippling the organization's operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
TheDarkOverlord (TDO) compromised Prime Staff Inc., a California-based Professional Employer Organization (PEO), with the breach publicly revealed on December 4, 2018. Attackers gained control of the company’s domain and email systems, evidenced by an email sent to DataBreaches.net from the account of Rebecca Shields (also identified as Rebecca B. Gaspar), the firm’s principal. The email contained a single word—“HELP”—followed by a ransom note from TDO. Subsequent communication confirmed TDO’s control over Prime Staff’s infrastructure, as a reply to DataBreaches.net stated, “There’s no safe way to contact Shields.” TDO claimed to have exfiltrated thousands of employee personnel files and wiped the company’s servers, rendering data unrecoverable through conventional means. The attackers deployed pseudo-random data overwrites, explicitly stating, “This wasn’t some flawed ransomware deployment. This was a fucking nuke going off.”
TDO presented Prime Staff with three extortion options: $50,000 USD payable within one year, $37,500 USD with a commitment to endorse TDO to future victims, or $25,000 in Bitcoin by December 25, 2018. Additional incentives included a $10,000 refund for referring other victims. Failure to comply would result in the sale of stolen data on platforms like KickAss or public exposure. The attackers threatened to leak sensitive employee information unless paid, leveraging the PEO’s role as a custodian of personnel records for multiple businesses. TDO’s communication did not disclose their initial attack vector but emphasized their operational control, including the deletion of data during prolonged victim silence. Prime Staff’s website and operational files were fully compromised, with no recovery options mentioned. The incident disrupted the firm’s ability to service clients, as reviews and operational details were erased. TDO promoted their Twitter account (@tdo_hackers) in the ransom note, aligning with their pattern of publicizing attacks. No information was provided regarding Prime Staff’s response, law enforcement involvement, or post-incident remediation efforts.