Five Radware customers received extortion letters in December and January, threatening a DDoS attack if they did not pay five bitcoin (worth about $200,000) from a group posing as Fancy Bear, Lazarus Group and the Armada Collective.
The threat group first attacked late last summer and in the fall and all the published reports and research points to the group being responsible for well-publicized attacks on the New Zealand Exchange, OTP Bank and Magyar Telecom, among many others. At the time, the FBI issued a warning about a wave of DDoS attacks.
Pascal Geenens, director of threat intelligence at Radware, reported four of the five Radware customers targeted experienced DDoS attacks, with the longest and most powerful one running just under 10 hours at 237 gigabits-per-second and the shortest one lasting just a couple of hours. None of the Radware organizations affected sustained any downtime or suffered network issues because they rerouted their traffic to a Radware scrubbing center, Geenens said.
“It’s very unusual that the group attacked a second time,” Geenens said. “We think it could be because the price of bitcoin went up and they were trying to take advantage of the increased value. We have learned that they must have a substantial infrastructure to launch such a large attack and it’s possible they thought that now that they have attacked before, they could reuse the attacks and cash in while the price of bitcoin was still high.”
Although the attackers claimed to be from Fancy Bear, the Lazarus Group and the Armada Collective, it’s highly likely that it originated from copycat groups instead, said Ivan Righi, cyber threat intelligence analyst at Digital Shadows.
However, the group is serious, he said, advising companies to develop a denial of service (DoS) prevention and response plan to ensure that network infrastructure can withstand such threats.
“There were instances of successful attacks on companies who failed to pay the ransom, such as the New Zealand Exchange, which reportedly experienced a four-day outage because of the attacks,” Righi said.
Geenens said the attackers, in their minds, aimed to be fair and come across like reasonable people, a common technique, telling victims “We can easily shut you down completely, but considering your company size, it would probably cost you more one day without the Internet then what we are asking so we calculated and decided to try peacefully again. And we are not doing this for cyber vandalism, but to make money, so we are trying to be make it easier for both. We will be kind and will not increase your fee. Actually, since the bitcoin price went up over 100 percent since the last time we will temporarily decrease the fee to 5 BTC! Temporarily." "Yes, pay us 5 BTC and we are gone!"
But they underscored that they meant business by saying, “Remember, we never give up. And we always come back, until we are paid. Once paid we are gone and you will never hear from us again – forever."
Considering that the threat group failed to successfully launch attacks following the initial threats and the ransom costs have nearly tripled because of bitcoin increases, Righi said it’s highly unlikely that the targeted companies will pay the ransom.