Cyber Incident Victim: Little Red Door Cancer Services of East Central Indiana
Date:
Jan 2017
Location:
United States of America
Summary
The Little Red Door Cancer Services of East Central Indiana experienced a cyberattack by TheDarkOverlord, involving unauthorized data exfiltration and server wiping, though backups remained intact. Contrary to initial claims by the agency, the attackers clarified this was not a ransomware incident but an extortion attempt demanding payment to prevent public release of stolen data, which allegedly included staff Social Security numbers and client diagnostic information. The agency refused the ransom despite reduced demands and involved the FBI, while the attackers threatened to monetize or leak the data if unpaid. Discrepancies emerged between the agency's assertions about dark web exposure and the attackers' denial of prior data release.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around January 9, 2017, Little Red Door Cancer Services of East Central Indiana (LRD), a Muncie-based nonprofit providing cancer support services, experienced a cybersecurity incident initially characterized as a ransomware attack. According to an internal email sent by Executive Director Aimee Fant on January 11, attackers compromised the agency’s terminal server and backup drive on the evening of January 9. Fant attributed the attack to TheDarkOverlord (TDO), a hacking collective previously linked by LRD to a November 2016 ransomware incident involving the City of Anderson, Indiana. Fant claimed the attackers demanded $43,000 initially, later reducing the amount to less than half, but stated LRD refused payment. She reported that cloud backups allowed data recovery without paying ransom and indicated collaboration with the FBI and IT consultants, who described the attack as unusually severe. Fant also asserted staff Social Security numbers and agency information were already on the dark web, though she downplayed client data exposure to phone numbers and email addresses.
Subsequent developments revealed discrepancies in LRD’s initial account. TheDarkOverlord directly contradicted Fant’s claims in a January 17 communication with DataBreaches.net, denying any ransomware deployment or encryption of data. TDO asserted they exfiltrated LRD’s data, wiped the server (while leaving backups intact), and demanded payment solely to prevent public release of stolen information. They explicitly denied involvement in the City of Anderson attack and expressed confusion about LRD’s ransomware narrative. TDO threatened to leak “a few thousand” records containing diagnostic/clinical information if unpaid, contradicting Fant’s minimization of sensitive client data exposure. A TDO spokesperson using a compromised LRD email account disputed Fant’s dark web claims, stating no data had been posted yet. DataBreaches.net’s attempts to contact LRD for clarification via email and phone were unsuccessful, with Fant’s voicemail full and no responses received. The incident caused operational disruption, with staff receiving suspicious text messages first alerting the organization to the breach on January 11. While LRD maintained no sensitive donor/client data beyond contact information was compromised, TDO’s assertions and Fant’s acknowledgment of the attack’s severity suggested broader impacts, including potential exposure of patient health information. The final disposition of the stolen data remained unclear at the time of reporting, with TDO indicating selective release or monetization based on LRD’s compliance.