FBI Gives Hollywood Hacking Victims Surprising Advice: "Pay the Ransom"

Netflix isn't alone: Agencies and others are balancing demands for money against the fears of stolen data ending up online.

Phones are the lifeblood of a talent agency like UTA, but on April 11, its IT department discovered an intruder lurking in the voicemail system and computer network and quickly decided to shut them down, sending agents to conduct business on their iPads. Soon thereafter a demand from a hacker arrived: Pay a ransom or watch the agency's most confidential data get posted online.

It turns out UTA was lucky — an outside cybersecurity firm was brought in and, after conducting a forensic analysis, determined that nothing valuable had been pilfered. But the episode was one of at least a half-dozen extortion attempts against Hollywood firms over the past six months alone, say sources in the cybersecurity industry. Mirroring the audacity of the famed Bling Ring, the recent spate of strikes has left executives throughout the entertainment industry on edge, fearing that they — and all of their emails, contracts, celebrity addresses, banking information and salaries — might be the next Sony or Netflix, which saw 10 episodes of the upcoming season of Orange Is the New Black posted to The Pirate Bay six weeks ahead of the series' June 9 launch.

Others targeted with extortion plots include ICM and WME, the latter more significantly. Says USC cybercrime expert Michael Orosz: "A hacker breaks in through various means, steals data and then holds the company over the barrel. This is becoming more and more common because it's easy to do. It's basically low-hanging fruit."

The frequency of the attacks has overwhelmed the FBI's Los Angeles field office, which has been unable to properly investigate all of them. The FBI's surprising advice, according to industry sources: Pay the ransom. After all, the hackers aren't asking much more than a Cannes hotel tab. In all of the Hollywood extortion cases, the hackers demanded less than $80,000. A law enforcement source says that in California, losses would need to exceed $50,000 for the U.S. Attorney's office to prosecute, thus keeping the FBI from pursuing most of these cases.

But an FBI spokesperson in the L.A. office denied that the agency is telling companies to cough up the bitcoins in cases of ransomware. "The FBI does not encourage payment of ransom as it keeps the criminals in business," says Laura Eimiller. "Of course, the individual victim must weigh their options."

"If your system is wiped and you didn't pay, then there's no way to recover it and you basically shut down your entire business, so the FBI will say it's easier to pay it than it is to try to fight to get it back," says Hemanshu Nigam, a former federal prosecutor of online crime in L.A. and onetime chief security officer for News Corp. "And if one company pays the ransom, the entire hacking community knows about it."

So far, at least one Hollywood company has paid the ransom, according to a source. Others are waiting to see if anything valuable was taken, something not evident unless a victim runs a forensic analysis, which typically costs far more than the ransom demand.

•••

Netflix recently learned the consequences of not paying. Sometime in late 2016, a hacker collective known as TheDarkOverlord breached the network of postproduction facility Larson Studios and made off with a trove of unaired shows including Orange Is the New Black, CBS' NCIS: Los Angeles, Fox's New Girl and IFC's Portlandia. It wasn't until late January that the FBI began to contact the affected parties, which also included ABC, NBC, FX, National Geographic, E!, Disney Channel and Lifetime, to let them know the agency was investigating a possible hack and that their property may have been stolen. But more than a month passed without incident, eliciting relief from the networks. Then, in March, TheDarkOverlord made its first overture to the victims, demanding a ransom of 50 bitcoin (roughly $60,000) by an April 30 deadline or else the content would be released.

Netflix never responded to TheDarkOverlord, and two days before the deadline, the hackers posted on Twitter, "To those of you carefully watching this feed, allow the events that are but mere moments away to influence your choises [sic]." Twenty minutes later, the account tweeted a link to download the first episode of season five of Orange Is the New Black on Pirate Bay.

THR has been in contact with TheDarkOverlord, who said more content will be released because none of the affected parties has paid the ransom. "We're motivated by our desire to acquire internet money," TheDarkOverlord told THR via an encrypted conversation in a private chat room. "Contrary to what others have declared, we're motivated only by the benefit of financial gain." The group would not say whether it had infiltrated other Hollywood entities.

•••

Although more than two years have passed since the epic Sony hack, the phenomenon appears to be alive and well in Hollywood, albeit barely reported. TheDarkOverlord hit might be the first breach since Sony to generate headlines, but that doesn't mean the problem is rare or insignificant. One source, who declined to be named because it would violate a confidentiality agreement, called hacking one of the biggest threats facing the industry.

That's partly because few appreciate the scope of the problem. After all, Hollywood is an interconnected ecosystem, where valuable and confidential data is uploaded or shared with partners at a wide variety of organizations that in turn have varying degrees of security, says Orosz. A studio may have a solid firewall, but what about the management company it negotiates deals with, or the law firm or the publicity outfit? Last year, a hacker posing as an Interscope executive convinced a record label and management company to send copies of Lady Gaga's master audio files, according to The New York Times. (Lady Gaga's reps did not respond to a request for comment.)

Netflix probably has the resources and in-house expertise to thwart a network intruder, but few third-party vendors can match the tech brawn of a multibillion-dollar corporate giant. "Part of being data-security responsible is understanding that there's a supply chain," explains Orosz, "and everybody collectively needs to do their part to ensure that they are not the weakest link."

Privately, many of the networks victimized by TheDarkOverlord hack were quick to point fingers at Larson Studios, a postproduction facility widely used by television shows. In its only public statement on the matter, Netflix deflected blame to Larson: "A production vendor used by several major TV studios had its security compromised, and the appropriate law enforcement authorities are involved."

Experts say UTA handled its attack correctly, moving swiftly to contain the threat by getting everyone off their devices to prevent the malware from spreading. "To me, it's the first time that I actually saw an amazingly positive sign that these agencies are realizing the risks of cyberattacks in how badly it can hit their bottom line and their reputation," says Nigam. "Watching what UTA did was something that people should pay a lot of attention to in terms of this is a good example of how you respond to an attack."

The fact is, the next major breach likely has already occurred. Often the first time a company learns it has been hacked is with the arrival of a ransom note, and that can be long after its data is stolen. Hackers, typically located in foreign countries, are constantly sweeping for data, and it may take weeks or months for them to examine a cache and realize what they have.

TheDarkOverlord sees itself as a professional venture, not unlike the Hollywood companies it is trying to extort. "We're a professional business entity, and we behave as such," TheDarkOverlord told THR. "We're in this racket to create mutually beneficial long-term business relationships. A majority of our clients find our services very beneficial."

The group didn't clarify what it means by "clients," but it seems to imply that it offered investors a black market opportunity to share the profits from its extortion plots. A Times report linked the group to extortion against entities including an investment bank, a glue manufacturer, health care providers and a cancer charity.

But there are a lot of people out there who are especially interested in messing with Hollywood. At Sundance in January, hackers launched a DDoS attack that shut down the box office. Around the same time, a separate but likely related attack is believed to have disrupted Wi-Fi service for nearly all of Park City's Main Street businesses, bringing many festival events to a standstill. The FBI never confirmed whether it was investigating, telling THR that it had no update beyond that it was reviewing the incident.

"Technology continues to march at an unrelenting pace, and things are becoming much more sophisticated. What has resulted is we humans start to lose track of the environment that we are all interfacing with," says Orosz. "Hollywood is fast-paced, but no matter how fast or critical your timelines, part of that responsibility is taking care of your data security. So far, it doesn't appear to be costing business too much, but it will."

This story first appeared in the May 10 issue of The Hollywood Reporter magazine. To receive the magazine, click here to subscribe.