Ransomware campaign threatens organizations with DDoS attacks

[steven36]

All the organizations that contacted security provider Radware after receiving an extortion letter were hit by Distributed Denial of Service attacks.

 

 

 

 

Traditionally, cybercriminals who deal in ransomware will capture and encrypt sensitive data and then demand payment to decrypt it. But attackers also use other types of threats to try to elicit money from a victimized organization. In a new campaign analyzed by Radware, cybercriminals threaten organizations with Distributed Denial of Service (DDoS) attacks unless they acquiesce to their ransom demands.

 

Published on Wednesday, a security alert entitled "2020 Ransom DDoS Campaign Update" describes how Radware and the FBI have been warning organizations about a global ransomware DDoS campaign targeting financial companies and other businesses around the world.

 

In this campaign, organizations receive extortion messages from criminal groups going by the names "Fancy Bear," "Armada Collective," and "Lazarus Group."

 

 

The letters warn the recipient that their network will be subjected to a DDoS attack in another week. On the date the message is sent, the targeted organization is actually hit by a small attack referred to in the letter as proof that the criminals have the ability to carry out on their threat.

 

The group promises not to launch any further attacks if the victim pays the ransom, which starts out at 20 bitcoins (around $230,000) but then jumps by 10 bitcoins each day the money isn't paid. If payment is not received by a specified deadline, the attackers give the targeted organization a "second chance to reconsider before going down for good." If there's still no payment, then the groups vow to launch extremely powerful DDoS attacks that peak at over two terabits per second.

 

"This means that your websites and other connected services will be unavailable for everyone," the criminals threaten in their letter. "Please also note that this will severely damage your reputation among your customers who use online services."

 

The three different groups have different targets, according to Radware. Lazarus Group is the name used when the target is a financial organization. Also known as  "APT38," or "BeagleBoyz" by the Department of Homeland's Cybersecurity and Infrastructure Security Agency (CISA), Lazarus is believed to have close ties with the North Korean government. This group doesn't typically rely on DDoS as an attack vector, preferring to use malware frameworks and compromised payment networks and servers.

 

Fancy Bear is the group name used for targeting companies in the technology and manufacturing sectors. Also known as "APT28" or "Sofacy Group," Fancy bear is a Russian cyber espionage group reported to be closely tied to the Russian military intelligence agency GRU, which is sponsored by the Russian government. Rather than seeking financial gain, this group tends to target only organizations that are associated with government or political agencies looking to spread political influence or chaos, Radware said.

 

The extortion letters from Armada Collective have used different language than the ones sent from Lazarus Group and Fancy Bear. These letters have all been consistent in their use of English (even polite by using the word "please"). The letters have also improved in quality since the start by correcting a few typos and rephrasing certain sentences for better clarity.

What to do if you're a victim

The threat is real. All of the organizations that contacted Radware upon receiving one of the extortion letters were the recipients of follow-up attacks, as promised by the criminal groups.

 

Based on the size and scope of the victimized organization, the attacks have ranged from a couple of gigabits per second to hundreds of gigabits pers second, in some cases going as high as 300 Gbps. Though not as severe as the threatened 2 Tbps attack, the ones carried out still proved devastating for many organizations.

 

However, Radware advises targeted organizations not to pay the ransom, at least not if they have proper DDoS protection. Organizations that lack the necessary protection should find a reliable partner or vendor to help shore up your defenses so that any follow-up attacks don't disrupt your business.

Effective protection

Further, Radware offers a few recommendations on how to protect your organization from DDoS attacks.

 

• Hybrid DDoS protection. On-premise and cloud DDoS protection for real-time DDoS attack prevention also addresses high volume attacks and protects from pipe saturation.
• Behavioral-based detection. This detection can quickly and accurately identify and block anomalies while allowing legitimate traffic through.
• Real-time signature creation. This can promptly protect you from unknown threats and zero-day attacks.
• Cybersecurity emergency response plan. Such a plan entails having a dedicated emergency team of experts who possess the experience with Internet of Things security and can handle IoT outbreaks.
• Intelligence on active threat actors. This provides high fidelity, correlated, and analyzed data for preemptive protection against currently active known attackers.

 

Source

[steven36]

Fancy Bear Imposters Are on a Hacking Extortion Spree

 

 

Ransomware attacks that tear through corporate networks can bring massive organizations to their knees. But even as these hacks reach new popularity highs—and new ethical lows—among attackers, it's not the only technique criminals are using to shake down corporate victims. A new wave of attacks relies instead on digital extortion—with a side of impersonation.

 

On Wednesday, the web security firm Radware published extortion notes that had been sent to a variety of companies around the world. In each of them, the senders purport to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28. The communications threaten that if the target doesn’t send a set number of bitcoin—typically equivalent to tens or even hundreds of thousands of dollars—the group will launch powerful distributed denial of service attacks against the victim, walloping the organization with a fire hose of junk traffic strategically directed to knock it offline.

 

This type of digital extortion—give us what we’re asking for and we won’t attack you—has resurfaced repeatedly throughout the last decade. But in recent months, criminals have attempted to capitalize on fear about high-profile nation state attacks, combined with anxieties related to rising ransomware attacks, to try to make some extra money.

 

“Like a good salesperson, they follow up on the first message to convince the victim to pay before actually going to the trouble of executing an attack,” says Pascal Geenens, director of threat intelligence at Radware. “Of course, these criminals would prefer the easy money and not having to go through the process of running an attack. However, if the threat actors want to keep their campaign credible, not attacking is not an option.

 

Though the attacks don’t seem to target certain regions in particular, Radware did find that hackers tended to pose as Lazarus Group when attempting to extort money from financial organizations, and as Fancy Bear when threatening technology and manufacturing victims.

 

In another recent example, researchers from the security firm Intel471 reported on Tuesday that hackers pretending to be Lazarus Group sent an extortion letter to the currency exchange company Travelex in late August. Attackers demanded 20 bitcoin (more than $200,000 at the time) and said that the ransom would increase by 10 Bitcoin for every day that elapsed after the initial deadline. Travelex had previously suffered a damaging ransomware attack on New Year’s Eve and reportedly paid hackers $2.3 million to decrypt the data.

 

“It’s a small price for what will happen when your whole network goes down,” the extortion DDoSers wrote in their email to Travelex. “Is it worth it? You decide!”

 

Travelex didn't pay the ransom this time, and instead weathered a DDoS attack the hackers launched as a sort of warning shot. “Whoever’s behind this probably thought that Travelex must be a soft target based on what happened at the beginning of the year,” says Greg Otto, a researcher at Intel471. “But why would you hit a company that has probably gone through the effort to shore up their security? I understand the logic, but also I just think there are holes in that logic.” Travelex did not return a request from WIRED for comment about the August extortion attempt.

 

Extortion DDoS attacks have never been especially profitable for scammers, because they don’t have the visceral urgency of something like ransomware, when the target is already hobbled and may be desperate to restore access. And though this has always been a weakness of the strategy, the threats are potentially even less potent now that robust DDoS defense services have become widespread and relatively inexpensive.

 

“Generally speaking DDoS as an extortion method isn’t as profitable as other types of digital extortion,” says Robert McArdle, director of forward-looking threat research at Trend Micro. “It’s a threat to do something as opposed to the threat that you’ve already done it. It’s like saying, ‘I might burn your house down next week.’ It’s a lot different when the house is on fire in front of you.”

 

Given the spotty effectiveness of extortion DDoS, attackers are invoking the notorious state-backed hacking groups in an attempt to add urgency and stakes. “They’re fear-mongers,” says Otto. And the attacks likely work at least occasionally, given that attackers keep returning to the technique. For example, Radware noted that in addition to impersonating Fancy Bear and Lazarus Group, attackers have also been going by the name “Armada Collective,” a moniker that extortion DDoS actors have invoked numerous times in recent years. It’s unclear whether the actors behind this incarnation of Armada Collective have any connection to past generations.

 

Though most organizations with resources for digital defense can protect themselves effectively against DDoS attacks, researchers say it’s still important to take these threats seriously and actually invest in strong protections. The FBI reinforced this message in a bulletin at the beginning of September about actors pretending to be Fancy Bear. It reported that at the beginning of August, thousands of institutions around the world began receiving extortion notes.

 

“Most institutions that reached the six-day mark did not report any additional activity or the activity was successfully mitigated,” the FBI wrote. “However, several prominent institutions did report follow-on activity that impacted operations.”

 

While the attacks may not be as crippling for most targets as ransomware can be, they still pose a nagging threat to organizations that don't have adequate DDoS defenses in place. And with so many other types of threats to navigate, it's easy to imagine that the scare tactics could work often enough to make it all worth attackers' while.

 

Source