Companies worldwide have continued to receive extortion emails threatening to launch a distributed denial-of-service (DDoS) attack on their network, unless they pay up – with British foreign-exchange company Travelex reportedly being one recent high-profile threat recipient.
Researchers said that since mid-August, several companies have been sent emails that warn that their company network will be hit by a DDoS attack in about a week. The initial ransom demand is set at 20 BTC – which translates to about $230,000 at the time of writing – and cybercriminals threaten to increase that ransom by 10 BTC for each day not paid, said researchers.
While a high level of activity was first tracked in August, that activity then slowed down in the first half of September – only to “grow significantly” in the end of September and beginning of October, Radware researchers told Threatpost.
Travelex (which has undergone its fair share of security woes over the past year, starting with a New Year’s ransomware attack) was one such org threatened with a DDoS attack, unless it paid 20 bitcoins (BTC), Intel471 researchers reported on Tuesday. A bitcoin wallet address in the email shows that Travelex did not pay the attackers at any point, they said.
“Following the extortion email, the threat actor conducted a volumetric attack on a custom port of four IP addresses serving the company’s subdomains,” according to Intel471 researchers. “Two days later, the attackers carried out another DNS amplification attack against Travelex using Google DNS servers.”
Threatpost has reached out to Travelex for further comment on the DDoS extortion threat.
While the ransom DDoS campaign has been ongoing since August and has received widespread coverage, researchers with Radware said in a Wednesday post that they are continuing to see companies worldwide receive the extortion emails – and that attackers are becoming more sophisticated.
“There is no way to communicate with the blackmailers, so there is no option to negotiate and the only way to get a message through is by sending BTC to the bitcoin address mentioned in the letter,” researchers said.
The extortion emails claim that the threat group has already launched a small DDoS attack on the victim’s IPs (of the ASN number mentioned in the letter) to give the threat legitimacy. The attackers also claim that they have the ability to perform volumetric attacks that peak at 2Tbps – almost reaching the levels of the 2.3Tbps attack targeting an Amazon Web Services client in February that was the largest volumetric DDoS attack on record.
“These threats are not hoaxes, and the actors have followed up with attacks,” Pascal Geenens, director of threat intelligence at Radware, told Threatpost. “While we have not observed the 2TBps attack threatened in the letter included the report, organizations have seen attacks ranging up to 300GBps and combining multiple attack vectors. These attacks can be devastating for many organizations.”
A sample DDoS ransom letter. Credit: Radware
Of note, the extortion threats were sent to generic email addresses within the companies, which did not always reach the right person in the organization – and were even sometimes received by subsidiaries of companies in the wrong country. However, while earlier iterations of the ransom note were elementary, researchers observed the threat actor increasing their sophistication.
“The letters have been improved since the start of the campaign by fixing some typos, rephrasing some actions for better clarity, and press coverage of earlier DDoS attacks that impacted financial organizations has been added to instill more fear,” said researchers.
The threat actor purports to be various APTs, posing as Fancy Bear, Armada Collective and Lazarus Group. The actors seem to have a preference of APT depending on the vertical they are trying to convince to pay a ransom: The cybercriminals purport to be Lazarus Group when targeting financial organizations, (such as in Travelex’s case, for instance), while they pretend to be Fancy Bear while targeting technology and manufacturing orgs.
However, researchers pointed to discrepencies that show that the threat actors are merely posing as these APTs as opposed to being the real deal: “Based on what we know about the standard tactics, techniques and procedures of these APT groups, the threat activity that we are seeing does not match up,” Geenens told Threatpost. “Attribution is mostly guesswork, and it’s impossible to make an absolute statement one way or another. Even if an APT group were to admit to these threats, it would be impossible to confirm whether they are even telling the truth.”
It’s worth noting that these ransom threats are nothing new. In 2019, cybercriminals posing as Fancy Bear launched DDoS attacks against companies in the financial sector and demanded ransom payments. And back in 2016, a group (who also called themselves the Armada Collective) sent extortion emails to various online businesses threatening to launch DDoS attacks if they weren’t paid in Bitcoin. All the way back in 2015, the FBI said that it was seeing an increase in the number of companies being targeted by scammers threatening to launch DDoS attacks if they don’t pay a ransom.
In their ransom letters, attackers claim there are no counter-measures to protect against their attacks. Researchers said this isn’t the case, and advised organizations to not pay the ransom demand: “There is no guarantee blackmailers will honor the terms of their letter,” they said. “Paying only funds future operations, allows them to improve their capabilities and motivates them to continue the campaign.”