Over the last week, Radware’s Emergency Response Team (ERT) has been tracking an emerging global ransom denial of service (RDoS) campaign from a group identifying itself as the Russian cyber espionage group, Fancy Bear.
Download Complete Alert
Abstract
Over the last week, Radware’s Emergency Response Team (ERT) has been tracking an emerging global ransom denial of service (RDoS) campaign from a group identifying itself as the Russian cyber espionage group, Fancy Bear. This campaign is similar to the one Radware reported on two years ago. This new group has been distributing extortion emails to financial institutions globally for the past week. As of this moment, victims are still receiving ransom notes.
Figure 1: 2019 Fancy Bear Extortion Letter (Current)
Background
In mid-October 2019, Radware’s ERT began mitigating sample attacks launched by an RDoS group claiming to be Fancy Bear. The extortionists currently behind this campaign attempted to intimidate their victims by using the name of APT28 (Fancy Bear), an infamous cyber-espionage group. APT28 is a Russian-backed cyber espionage group that is also known as Pawn Storm, Sofacy Group, Tsar Team and Fancy Bear and is notorious for international hacking related to influence and disinformation operations. RDoS attacks are not the modus operandi for Fancy Bears’ to date.
Starting in October 2019, almost 2 years after the first major campaign leveraged the name, Fancy Bear began appearing on extortion letters again in a new RDoS campaign. This time, Fancy Bear is requesting 2 bitcoins, $17,400 at the time of delivery, with the ransom increasing by one bitcoin every day without payment.