Link11 identifies new wave of DDoS extortion campaigns by Fancy Lazarus
June 2021 by Link11
The Link11 Security Operations Center (LSOC) has recently observed a sharp increase in ransom distributed denial of service (RDDoS or RDoS) attacks. Enterprises from a wide range of business sectors are receiving extortion e-mails from the sender Fancy Lazarus demanding 2 Bitcoins (approx. 66,000 euros): "It’s a small price for what will happen when your whole network goes down. Is it worth it? You decide!", the extortionists argue in their e-mail. So far, LSOC has received reports of RDoS attacks from several European countries, such as Germany and Austria, and the USA and Canada.
How the DDoS extortionists operate
The perpetrators gather information about the company’s IT infrastructure in advance and provide clear details in the extortion e-mail about which servers and IT elements they will target for the warning attacks. To exert pressure, the attackers rely on demo attacks, some of which last several hours and are characterized by high volumes of up to 200 Gbps. To achieve these attack bandwidths, the perpetrators use reflection amplification vectors such as DNS. If the demands are not met, the contacted company is threatened with massive high-volume attacks of up to 2 Tbsp. The organization has 7 days to transfer the Bitcoins to a specific Bitcoin wallet. The e-mail also states that the ransom would increase to 4 Bitcoin with the passing of the payment deadline and increase by another Bitcoin with each additional day. Sometimes, the announced attacks fail to materialize after the expiration of the ultimatum. In other cases, DDoS attacks cause considerable disruption to the targeted companies.
Suspected perpetrators already made headlines worldwide
The perpetrators are no unknowns. In the fall of 2020, payment providers, financial service providers, and banking institutions worldwide were blackmailed with an identical extortion target and hit with RDoS attacks. Hosting providers, e-commerce providers, and logistics companies were also the focus of the blackmailers, showing they target businesses indiscriminately. They also operated under the names Lazarus Group and Fancy Bear or posed as Armada Collective. The perpetrators are even credited with the New Zealand stock exchange outages at the End of August 2020, which lasted several days. The new wave of extortion hits many companies when a large part of the staff is still organized via remote working and depends on undisrupted access to the corporate network. Marc Wilczek, Managing Director of Link11 said: "The rapid digitisation that many companies have gone through in the past pandemic months is often not yet 100% secured against attacks. The surfaces for cyberattacks have risen sharply, and IT has not been sufficiently strengthened. Perpetrators know how to exploit these still open flanks with perfect precision."
What to do in the event of DDoS extortion
As soon as they receive an extortion e-mail, companies should proactively activate their DDoS protection systems and not respond to the extortion under any circumstances. If the protection solution is not designed to scale to volume attacks of several hundred Gbps and beyond, it is important to find out how company-specific protection bandwidth can be increased in the short term and guaranteed with an SLA. If necessary, this should also be implemented via emergency integration.
LSOC’s observation of the perpetrators over several months has shown: Companies that use professional and comprehensive DDoS protection can significantly reduce their downtime risks. As soon as the attackers realize their attacks are going nowhere, they stop them and let nothing more be heard of them.
LSOC advises attacked companies to file a report with law enforcement authorities. The National Cyber Security Centers are the best place to turn.