Last year, a DDoS extortionist posing as ‘Fancy Bear’ and ‘Lazarus Group’ targeted industries including finance, travel and e-commerce in what turned out to be one of the most extensive and longest-running DDoS extortion campaigns in history.
Radware says it has seen a spike in new business associated with DDoS ransomware threats from an actor calling itself Fancy Lazarus, asking for 'protection money' with the threat of devastating DDoS attacks.
The amount demanded seems to be based on the target’s reputation and size, and varies between 0.5 Bitcoins ($18,500) and five Bitcoins ($185,000).
Victims are given seven days to pay up, and if they don't, the amount demanded is multiplied by the number of days since the initial deadline.
“This is the first time we are seeing the bad actors selectively target organisations and favour those with unprotected assets for their ransom letters,” said Radware director of threat intelligence Pascal Geenens.
“This implies that malicious actors are leveraging Border Gateway Protocol routing information to detect whether targets are protected by always-on cloud protection services.
"In addition, we’re seeing that ransom DDoS, which traditionally was an event limited in time with yearly spikes, is now becoming a persistent threat, and should be considered an integral part of the DDoS threat landscape.”
Most internet service provider (ISP) and cloud service provider (CSP) victims were using DDoS mitigation services to protect their customers. But it seems not all of them were prepared for large, globally distributed attacks targeting their DNS servers or saturating their internet links.
Radware's position is that very large and globally distributed DDoS attacks can be effectively mitigated only by stopping malicious traffic closest to its source and never allowing multiple geographically distributed traffic streams to flock. This requires globally distributed and anycasted protection services.
Geenens added “The recent uptick in criminal activity should be a strong reminder to enterprises, ISPs and CSPs of any size and industry to assess the protection of their essential services and internet connections and plan against globally distributed DDoS attacks aimed at saturating links.
"This is especially in the case of service providers and their DNS services. We believe hybrid DDoS solutions provide the best of both worlds with on-premises protection against all types of DDoS attacks while automatically diverting to a cloud DDoS service when the attack risks saturating the internet link.”