In the past few weeks, Radware's Cloud DDoS Protection Service has been seeing a significant increase in DDoS activity and has been rapidly onboarding new customers in distress.
Download the Complete Alert
"Fantasy APT Seeking Unprotected Assets"
In the past few weeks, Radware's Cloud DDoS Protection Service has been seeing a significant increase in DDoS activity and has been rapidly onboarding new customers in distress. Several internet service providers (ISPs) and cloud service providers (CSPs) have reported receiving ransom letters followed by DDoS attacks that impacted their services and availability. Going by the name "Fancy Lazarus," the action radius of this extortion group has been extending to organizations of all sizes across the world and in all verticals. No target is too small or too big.
A DDoS extortion group identifies and targets organizations with unprotected assets and invites them to pay a ransom while threatening with devastating DDoS attacks.
Background
"Fantasy APT looking for unprotected assets," sounds like a classified advertisement you typically find in the newspaper. While it might sound entertaining, it very much describes the latest tactics employed by DDoS extortionists. It has been almost a year since a malicious actor, going by the names "Fancy Bear" and "Lazarus Group," started targeting finance, travel and e-commerce organizations in what has been one of the most extensive and longest-running DDoS extortion campaigns in history.
In a ransom DDoS update, Radware covered the tactic of circling back and how extortionists were trying to accelerate their campaign to profit from the surge in Bitcoin. In that update, we noted that ransom DDoS, which have historically been short-term events, have become a persistent threat and should now be considered an integral part of the DDoS threat landscape.
Over three weeks ago, DDoS extortionists have been sending ransom letters to ISPs and CSPs posing as "Fancy Lazarus." In an attempt to instill fear in their victims and pressuring them to comply with their demands, the actors created a new "super" APT moniker, a polynomial consisting of an equal part "Fancy Bear," the Russian APT and a part "Lazarus," the North Korean APT.
In their letter, the extortionists allow their victims seven days to purchase Bitcoin and pay the ransom before beginning DDoS attacks. The fee increases each day after the deadline passes without payment. The ransom demand varies between targets and seems to be adjusted to the target's reputation and size. The ransom demand is also more "acceptable" compared to the huge demands of 10 - 20 bitcoin ($370,000 and $740,000 at the time of publication) in the August campaigns. Demands now vary between 0.5 ($18,500), 2 ($75,000) and 5 BTC ($185,000) and increase by the same amount for every day the deadline was missed.
In the last few weeks, Radware's cloud services have had numerous emergency onboardings with the mention of a ransom letter. Most of the onboardings were new customers while others were existing customers seeking to protect new assets. We did not get notified of a ransom letter received by protected customers. We are not the only DDoS protection service in the industry with this observation. That leads us to believe the actors are specifically targeting unprotected assets and organizations. The malicious actors can leverage BGP routing information to detect if targets are protected by an always-on cloud mitigation service.
Reports from victims impacted by follow-up attacks of this extortion campaign confirm this observation. Most ISPs and CSPs victims did have DDoS mitigation solutions to protect their customers. However, they were not prepared for large, globally-distributed attacks targeting their DNS services and saturating their internet uplinks.