Radware is following a global ransom DDoS campaign targeting organizations in the finance, travel, and e-commerce verticals. Additionally, multiple internet service providers have been reporting DDoS attacks targetting their dns infrastructure.
Global Ransom DDoS Campaigns
Since the middle of August, Radware has been tracking several extortion requests from threat actors posing as "Fancy Bear," "Armada Collective," and "Lazarus Group." Letters are being delivered via email and typically contain victim-specific data such as Autonomous System Numbers (ASN) or IP addresses of servers or services they will target if their demands are not fulfilled. It is a global campaign with threats reported from organizations in finance, travel and e-commerce in APAC, EMEA and North America.
The ransom fee is initially set at 10 BTC, which is equivalent to $113,000 at the time of the extortion. Some fees are set as high as 20 BTC (approximately $226,000). These demands are larger versus 2019 campaigns that typically requested between 1 BTC or 2 BTC.
Ransom letters threaten cyberattacks of over 2Tbps if payment is not made. To prove the letter is not a hoax, authors indicate when they will launch a demonstration attack.
The letter indicates that if payment is not made prior to the deadline, the attack will continue and the fee will increase by 10 BTC (approximately $113,000) for each missed deadline. Each letter contains a Bitcoin wallet address for payment. The wallet address is unique for each target and allows the actor to track payments.
The ransom letters are very similar in their terms and demands. Threats and advertised capabilities follow the same indicators from earlier reports.
FOLLOW UP AND FOLLOW THROUGH
Radware has evidence of malicious actors following up on their initial demand. In follow up messages, threat actors underscore that the unique Bitcoin address from the initial letter is still empty and reiterate the seriousness of the threat. They also provide keywords and organization names so the target organization can search for recent DDoS disruptions, followed by the rhetorical question "You don't want to be like them, do you?"
The threat actors state they prefer payment over attack and allow the target to reconsider paying. The threat actor will often extend the deadline by one day.
In many cases the ransom threat Is followed by cyberattacks ranging from 50Gbps to 200Gbps. The attack vectors include UDP and UDP-Frag floods, some leveraging WS-Discovery amplification, combined with TCP SYN, TCP out-of-state, and ICMP Floods.