Orange is the New Blackhat: show leaked as Netflix snubs ransom demand

News by Bradley Barth

Consumers are being warned to be wary of pirated copies of a leaked TV show which may contain malware, while organisations are urged to vet vendors' security more tightly.

Pirated copies of the prison dramedy Orange is the New Black may contain malware, consumers are being warned, as blackhat hacker The Dark Overlord releases the show to the internet after failed attempt to extort Netflix.

Not scheduled to air until June, season five of the hit show was released on a free file-sharing website last week after Netflix refused to cave in to a ransom demand.

The hacker, who goes by the name The Dark Overlord, claims to have additional content from FOX, IFC, National Geographic and ABC. "Oh, what fun we are all going to have. We're not playing any games anymore," the attacker posted on Twitter.

The first illegal dump occurred on 28 April when The Dark Overlord posted the first episode of OITNB to file-sharing site The Pirate Bay, and an accompanying announcement on Pastebin. The remainder of the season was uploaded the following day.

The same actor has already gained a reputation across the infosec space for extorting healthcare providers and hospitals by breaching their systems, stealing their data and threatening to post it.

In reaction to the content dump, Netflix released the following official statement: "We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved."

According to a report by, that third-party vendor is Larson Studios, an audio post-production company. SC Media has reached out to Larson Studios for comment. also reported that it was contacted by The Dark Overlord last December regarding the apparent Larson breach. Reportedly, the adversary originally attempted to extort Larson before moving on to Netflix. In total, the hacker swiped at least 37 titles from a variety of entertainment companies, noted, including episodes of It's Always Sunny in Philadelphia, The Middle and Portlandia.

Michael Sutton, CISO at cloud-based security company Zscaler, praised Netflix for refusing to pay up, suggesting that doing so would only embolden attackers to commit similar acts in the future. “It's quite possible that the same attacker has succeeded elsewhere, but we've not heard about it because the ransom was paid," said Sutton in emailed comments.

"Attackers are becoming increasingly aware of the profit potential that corporate extortion can provide. We can expect this trend to continue as attackers identify additional opportunities for disrupting business, such as attacking IoT devices," Sutton continued.

Tyler Reguly, manager of the Vulnerability and Exposure Research Team (VERT) at IT security software company Tripwire, said in emailed comments that Netflix was probably too savvy to pay the ransom. However, fans of its shows could easily become secondary victims.

“It is believed that Netflix has the best viewing data of anyone because you watch it from their servers and they know exactly how many people subscribe permanently versus subscribe just for the reason of new shows, so it's likely that they know the exact impact this will have and whether or not it will hurt them better than any traditional network would, making it the wrong choice as an extortion target," said Reguly.

But with lots of viewers potentially searching the web for these leaked episodes, "This would be a great time for malware authors to load malicious content under the guise of being the leaked episode to popular torrent and movie viewing sites," Reguly continued. "I suspect that you could rapidly create a fairly large botnet comprised of the individuals looking for the content. You have to wonder if the goal was truly extortion and the stolen content or if it was just to create the rapidly spreading news that it was stolen, so that people would search and download the attacker's malware.”

Several security experts commented that this incident underscored the importance of vetting the security of third-party partners, which according to are a common target of The Dark Overlord.

“The pattern of attacks by the alleged hacker that breached Netflix's partner shows that it consistently targets a third party, validating the fact that this is an easy attack vector at the heart of the majority of breaches today," said Fred Kneip, CEO of cyber-risk exchange platform CyberGRX, in emailed comments. "A lesson here is that companies need to understand that their third parties' security controls are constantly vulnerable to new exploits or configuration changes, which creates a need to monitor and mitigate these risks as they arise.”

"In this case of Netflix, one of their most prized assets is their original programming which they use to differentiate their service and attract an ever-growing list of subscribers," said Matthew Gardiner, cyber-security strategist at cloud services provider Mimecast. "And no matter how strong the security programme is at Netflix, if there are weaknesses in their supply-chain the attackers will hit them there. Unfortunately, these types of attacks are now a key element of the risks that all organisations face.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews