All the organizations that contacted security provider Radware after receiving an extortion letter were hit by Distributed Denial of Service attacks.
Traditionally, cybercriminals who deal in ransomware will capture and encrypt sensitive data and then demand payment to decrypt it. But attackers also use other types of threats to try to elicit money from a victimized organization. In a new campaign analyzed by Radware, cybercriminals threaten organizations with Distributed Denial of Service (DDoS) attacks unless they acquiesce to their ransom demands.
SEE: Distributed denial of service (DDoS) attacks: A cheat sheet (Free PDF) (TechRepublic)
Published on Wednesday, a security alert entitled “2020 Ransom DDoS Campaign Update” describes how Radware and the FBI have been warning organizations about a global ransom DDoS campaign targeting financial companies and other businesses around the world.
In this campaign, organizations receive extortion messages from criminal groups going by the names “Fancy Bear,” “Armada Collective,” and “Lazarus Group.”
The letters warn the recipient that their network will be subjected to a DDoS attack in another week. On the date the message is sent, the targeted organization is actually hit by a small attack referred to in the letter as proof that the criminals have the ability to carry out on their threat.
The group promises not to launch any further attacks if the victim pays the ransom, which starts out at 20 bitcoins (around $230,000) but then jumps by 10 bitcoins each day the money isn’t paid. If payment is not received by a specified deadline, the attackers give the targeted organization a “second chance to reconsider before going down for good.” If there’s still no payment, then the groups vow to launch extremely powerful DDoS attacks that peak at over two terabits per second.
“This means that your websites and other connected services will be unavailable for everyone,” the criminals threaten in their letter. “Please also note that this will severely damage your reputation among your customers who use online services.”
The three different groups have different targets, according to Radware. Lazarus Group is the name used when the target is a financial organization. Also known as “APT38,” or “BeagleBoyz” by the Department of Homeland’s Cybersecurity and Infrastructure Security Agency (CISA), Lazarus is believed to have close ties with the North Korean government. This group doesn’t typically rely on DDoS as an attack vector, preferring to use malware frameworks and compromised payment networks and servers.
Fancy Bear is the group name used for targeting companies in the technology and manufacturing sectors. Also known as “APT28” or “Sofacy Group,” Fancy bear is a Russian cyber espionage group reported to be closely tied to the Russian military intelligence agency GRU, which is sponsored by the Russian government. Rather than seeking financial gain, this group tends to target only organizations that are associated with government or political agencies looking to spread political influence or chaos, Radware said.
The extortion letters from Armada Collective have used different language than the ones sent from Lazarus Group and Fancy Bear. These letters have all been consistent in their use of English (even polite by using the word “please”). The letters have also improved in quality since the start by correcting a few typos and rephrasing certain sentences for better clarity.
What to do if you’re a victim
The threat is real. All of the organizations that contacted Radware upon receiving one of the extortion letters were the recipients of follow-up attacks, as promised by the criminal groups. Based on the size and scope of the victimized organization, the attacks have ranged from a couple of gigabits per second to hundreds of gigabits pers second, in some cases going as high as 300 Gbps. Though not as severe as the threatened 2 Tbps attack, the ones carried out still proved devastating for many organizations.
However, Radware advises targeted organizations not to pay the ransom, at least not if they have proper DDoS protection. Organizations that lack the necessary protection should find a reliable partner or vendor to help shore up your defenses so that any follow-up attacks don’t disrupt your business.
Further, Radware offers a few recommendations on how to protect your organization from DDoS attacks.
- Hybrid DDoS protection. On-premise and cloud DDoS protection for real-time DDoS attack prevention also addresses high volume attacks and protects from pipe saturation.
- Behavioral-based detection. This detection can quickly and accurately identify and block anomalies while allowing legitimate traffic through.
- Real-time signature creation. This can promptly protect you from unknown threats and zero-day attacks.
- Cybersecurity emergency response plan. Such a plan entails having a dedicated emergency team of experts who possess the experience with Internet of Things security and can handle IoT outbreaks.
- Intelligence on active threat actors. This provides high fidelity, correlated, and analyzed data for preemptive protection against currently active known attackers.