Pay up or your website gets taken down

Would-be cybercriminals are posing as nation-state actors to blackmail targets to pay up or face distributed denial-of-service (DDoS) attacks.

Organizations in the finance, travel, and e-commerce sectors worldwide have been targeted with attempted extortion since mid-August, according to application delivery and DDoS mitigation vendor Radware.

In addition, multiple internet service providers have been reporting DDoS attacks targeting their DNS infrastructure.

Extortionate demands pose as messages from notorious state-sponsored advanced persistent threat (APT) groups including ‘Fancy Bear’ (Russia), ‘Armada Collective’, and ‘Lazarus Group’ (North Korea).

Threat profile

The threats typically arrive by email and include victim-specific data such as Autonomous System Numbers (ASN) or IP addresses of servers or services they will target if their demands are not fulfilled.

Around 10 BTC – $113,000 at current exchange rates – is initially demanded before a specified deadline, with these sums increasing in the case of non-compliance.

A DDoS extortion group going by the name ‘Armada Collective’ was active in 2015 and 2016, and they made a name for themselves in calling threats without following through with actual attacks.

RECOMMENDED ‘UltraRank’ cybercrime gang behind JS sniffer campaigns previously linked to Magecart

Pascal Geenens, director of threat intelligence at Radware, told The Daily Swig that it was more than likely that the threats were the work of independent cybercriminals, rather than state-backed groups running a scam on the side.

That said, these latest threats are far from empty promises, according to Radware.

“We have seen the letters followed by DDoS attacks with volumes beyond 200Gbps,” Geenens said. “The attacks are not continuous but executed regularly enough to disrupt the victim and cause damage to their business and/or reputation.”

Turning up the dial

According to Radware, in many cases the ransom threat Is followed by cyber-attacks ranging from 50Gbps to 200Gbps.

The attack vectors include UDP and UDP-Frag floods, some leveraging WS-Discovery amplification, combined with TCP SYN, TCP out-of-state, and ICMP Floods.

“The attacks, from what we understand, go on until the actors understand that it is of no use to continue because their target will keep fighting back, at which point they refocus on other targets,” Geenens said.

Read more of the latest DDoS attack news

Radware “strongly advise against paying the ransom”, as there is “no guarantee that the attackers will stop their threats and payments are funding the operations and motivating the assailants”.

The DDoS mitigation vendor urges enterprises to seek out protection ahead of any attacks.

The security organization was unable to say whether anyone had caved in to the extortion, much less speculate on how much money the crooks might have made.

Geenens told The Daily Swig: “So as far as we know, based on the wallets of customers that shared the information with us, nobody paid.”

Radware was unable to offer much by way of a theory about what type of individuals might be behind the scam.

INSIGHT TLS certificate lifespan cut short: A win for security, or cause for chaos?