A new wave of DDoS extortion campaigns by Fancy Lazarus has been identified by Link11.

The sudden increase in ransom distributed denial of service (RDDoS or RDoS) attacks was recently observed by the Link11 Security Operations Centre (LSOC). Enterprises from a wide range of business sectors have been receiving extortion emails from the sender Fancy Lazarus demanding 2 Bitcoins.

“It's a small price for what will happen when your whole network goes down. Is it worth it? You decide!” the extortion email says.

The DDoS perpetrators operate by gathering information about the company's IT infrastructure in advance, and then provide details in the extortion email regarding which servers and IT components they will target for the warning attacks. To apply pressure, the attackers use demo attacks, some lasting several hours and that typically have high volumes of up to 200 GBps.

In order to achieve these bandwidths, the perpetrators use reflection amplification vectors such as DNS. If the demands are not met, the company is threatened with large, high-volume attacks of up to 2 TBps. The organisation then has seven days to transfer the Bitcoins.

The email also says the ransom will increase to 4 Bitcoins if the payment deadline isn't met, and then increase by one Bitcoin each additional day. In some cases, the attacks don't go ahead after the deadline expires, while other times the DDoS attacks create substantial disruption to the targeted company.

This isn't the first time the perpetrators, who operate under the names Lazarus Group and Fancy Bear, or Armada Collective, have performed these types of attacks, in 2020 payment providers, financial service providers, and banking institutions worldwide were blackmailed with an identical extortion target and hit with RDoS attacks.

Hosting providers, eCommerce providers, and logistics companies have also the focus of the blackmailers, showing they target businesses indiscriminately. The perpetrators are even credited with the New Zealand stock exchange outages at the end of August 2020, which lasted several days.

“The new wave of extortion hits many companies when a large portion of the staff are still organised via remote working and depend on undisrupted access to the corporate network,” says Link11 managing director, Marc Wilczek.

“The rapid digitisation that many companies have gone through during the pandemic months is often not yet 100% secured against attacks. The surfaces for cyberattacks have risen sharply, and IT hasn't been sufficiently strengthened. Perpetrators know how to exploit these still open flanks with perfect precision.

As soon as they receive an extortion email, LSOC says companies should proactively activate their DDoS protection systems and not respond to the extortion under any circumstances. If the protection system isn't designed to scale to volume attacks of several hundred Gbps and beyond, it's important to find out how company-specific protection bandwidth can be increased for short-term periods and guaranteed with an SLA. If necessary, this should also be implemented via emergency integration.

“Our observation of the perpetrators over several months has shown companies that use professional and comprehensive DDoS protection can significantly reduce their downtime risks,” says LSOC.

“As soon as the attackers realise their attacks are going nowhere, they stop them and let nothing more be heard of them. We advise companies attacked to file a report with law enforcement authorities, National Cyber Security Centres are the best places to turn.