Security solutions specialist Radware reports it is following a global ransom Distributed Denial of Service (DDoS) campaign targeting organisations in the finance, travel and e-commerce verticals. Additionally, multiple internet service providers have been reporting DDoS attacks targeting their DNS infrastructure.
Since mid-August, Radware has been tracking several extortion requests from threat actors posing as ‘Fancy Bear’, ‘Armada Collective’, and ‘Lazarus Group.’
Letters are being delivered via email and typically contain victim-specific data such as Autonomous System Numbers (ASN) or IP addresses of servers or services they will target if their demands are not fulfilled. It is a global campaign with threats reported from organisations in finance, travel and e-commerce in APAC, EMEA and North America.
The ransom fee is initially set at 10 BTC, which is equivalent to $113,000 at the time of the extortion. Some fees are set as high as 20 BTC (approximately $226,000). These demands are larger versus 2019 campaigns that typically requested between 1 BTC or 2 BTC.
Ransom letters threaten cyber attacks of over 2Tbps if payment is not made. To prove the letter is not a hoax, authors indicate when they will launch a demonstration attack.
The letter indicates that if payment is not made prior to the deadline, the attack will continue and the fee will increase by 10 BTC (approximately $113,000) for each missed deadline. Each letter contains a Bitcoin wallet address for payment. The wallet address is unique for each target and allows the actor to track payments.
The ransom letters are very similar in their terms and demands. Threats and advertised capabilities follow the same indicators from earlier reports.
Radware has evidence of malicious actors following up on their initial demand. In follow up messages, threat actors underscore that the unique Bitcoin address from the initial letter is still empty and reiterate the seriousness of the threat. They also provide keywords and organisation names so the target organisation can search for recent DDoS disruptions, followed by the rhetorical question “You don’t want to be like them, do you?”
The threat actors state they prefer payment over attack and allow the target to reconsider paying. The threat actor will often extend the deadline by one day.
In many cases the ransom threat Is followed by cyber attacksranging from 50Gbps to 200Gbps. The attack vectors includeUDP and UDP-Frag floods, some leveraging WS-Discovery amplification, combined with TCP SYN, TCP out-of-state, and ICMP Floods.
Radware advises
Radware advises that ransom letters with comparable indicators should be taken seriously. The letters are often followed by DDoS attacks. These attacks are not at a level of complexity/amplitude that prevent mitigation if the right protection is in place. Radware has seen faster and better mitigation by leveraging hybrid always-on protection compared to asymmetric routed cloud protections.
Radware advises against paying the ransom demand as there is no guarantee the malicious actors will honour the terms and it ‘identifies’ the target organisation as one that is willing to pay under threat. Paying the ransom funds the malicious operation and allows the bad actors to improve their capabilities and motivates them to continue their campaign.
Internet service provider attacks
Since the last week of August, Radware has been tracking several internet service providers (ISPs) in Europe that have reported disturbances caused by DDoS attacks. The attacks are primarily targeting the DNS infrastructure of the providersand disrupt customers that use the provider’s DNS servers to resolve internet hostnames. Several providers were impacted and some have suffered multi-day disturbances across their customer base.
Currently, Radware has no immediate link between the ISP attacks and the ransom campaign. There are some ransom letters that indicate that the demonstration attack will target DNS infrastructure, but that is the extent of similarities. There have been no reports of ransom letters to ISP targets, only from finance, travel and e-commerce.
Effective DDoS protection essentials
- Hybrid DDoS Protection – On-premise and cloud DDoS protection for real-time DDoS attack prevention that also addresses high volume attacks and protects from pipe saturation.
- Behavioural-based detection – quickly and accurately identify and block anomalies while allowing legitimate traffic through.
- Real-time signature creation – promptly protect from unknown threats and zero-day attacks
- A cyber security emergency response plan – a dedicated emergency team of experts who have experience with Internet of Things security and handling IoT outbreaks
- Intelligence on Active Threat Actors – high fidelity, correlated and analysed date for pre-emptive protection against currently active known attackers
For further network and application protection measures, Radware urges companies to inspect and patch their network in order to defend against risks and threats.
Effective web application security essentials
- Full OWASP Top-10 coverage against defacements, injections, etc.
- Low false positive rate – using negative and positive security models for maximum accuracy
Auto policy generation capabilities for the widest coverage with the lowest operational effort - Bot protection and device fingerprinting capabilities to overcome dynamic IP attacks and achieving improved bothdetection and blocking
- Securing APIs by filtering paths, understanding XML and JSON schemas for enforcement, and activity tracking mechanisms to trace bots and guard internal resources
- Flexible deployment options – on-premise, out-of-path, virtual or cloud-based.