Radware and the FBI warned in August about a global ransom DDoS campaign targeting financial institutions and other industries worldwide. Radware has witnessed an increase of new extortion letters from organizations across the globe.
A New Wave of Ransom Letters
Since middle of August, Radware has been receiving letters sent to several organizations by actors posing as 'Fancy Bear', 'Armada Collective' or 'Lazarus Group'. The letters are sent to a generic email address and do not always immediately reach the right person in the organization. In some cases, letters were received by subsidiaries or branches in the wrong country.
The letters from 'Armada Collective' were an earlier outlier and used different language compared to letters from the same period and more recent extortion letters from actors posing as 'Fancy Bear' and 'Lazarus Group'. The latter are consistent in their use of the English language, matching up paragraph by paragraph. The letters have been improved since the start of the campaign by fixing some typos, rephrasing some actions for better clarity, and press coverage of earlier DDoS attacks that impacted financial organizations have been added to instill more fear.
All the letters Radware received from different organizations across the world indicate that 'Lazarus Group' is the sender when the target is a financial organization.
Intel417 recently reported that criminals posing as Lazarus Group threatened Travelex, a British foreign exchange, with a DDoS attack unless it paid 20 bitcoins.
The moniker 'Fancy Bear' is leveraged only for Technology and Manufacturing targets. The actors seem to have a preference of APT depending on the vertical they are trying to convince to pay a ransom.
The APTs have been chosen carefully by the actors and do follow a certain logic. 'Lazarus', also referred to as 'APT38', or 'BeagleBoyz' by the Department of Homeland's Cybersecurity and Infrastructure Security Agency (CISA), has been attributed to attacks targeting mostly financial institutions and is believed to have close ties with the North Korean government.
Just last week, the CISA published a warning
'FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks'. The title of alert AA20-239A leaves little to the imagination and attributes new attacks to 'Lazarus Group' as it
ramped up its efforts to raise money for its sponsor, the North Korean government. Via numerous campaigns targeting organizations in the cryptocurrency space and financial sector, the cash-strapped nation hopes to raise funds for its
While 'Lazarus' targets organizations in the finance industry, DDoS is not a tactic typically used by the group to get funds. It resorts to malware frameworks and compromised payment networks and servers.