Fancy Lazarus DDoS Extortion Group Back With New Campaign

Cyber criminals continue to seeks ways to extort payments from potential victims, as evidenced by the scourge of ransomware attacks over the past two years.

But now European IT security provider Link11 has warned in a blog post that its Security Operations Center (LSOC) has observed a sharp increase in ransom distributed denial of service (RDDoS or RDoS) attacks.

This new wave of DDoS extortion campaigns is targetting companies across Europe and North America on behalf of Fancy Lazarus, warned Link11.

DDoS extortion

In February this year Neustar said that it had seen seen a massive rise in denial-of-service attacks over the past year, with more attackers now demanding ransoms. Indeed it found DDoS attacks rose by 154 percent, or more than two and a half times, in 2020 compared with 2019.

A traditional DDoS attack usually involves the use of a distribute network of bots – usually computers that have been infected with malware without the knowledge of their users – to send junk traffic that overloads an organisation’s systems, making them inaccessible.

Ransom-related DDoS attacks however, are typically preceded by an extortion email promising a small attack the following day, followed by an attack utilising up to 2TB per second (Tbps) of junk traffic if the ransom is not paid.

Google last October disclosed a 2.5Tbps DDoS attack that is currently the internet’s largest-known incident of its kind.

Attackers often sign the letter with the name of well-known, state-backed attack groups, including Fancy Bear, the Lazarus Group and the Armada Collective.

Fancy Lazarus seems to be a combination of those two groups.

Pay or Suffer DDoS

On Wednesday LSOC said that ransom distributed denial of service (RDDoS or RDoS) attacks are targetting enterprises from a wide range of business sectors.

The victims are receiving extortion e-mails from the sender Fancy Lazarus demanding two bitcoins.

“It’s a small price for what will happen when your whole network goes down. Is it worth it? You decide!”, the extortionists reportedly argue in their email.

So far, LSOC has received reports of RDoS attacks from several European countries, such as Germany and Austria, and the USA and Canada.

According to Link11, the DDoS extortionists gather information about the company’s IT infrastructure in advance and provide clear details in the extortion email about which servers and IT elements they will target for the warning attacks.

“To exert pressure, the attackers rely on demo attacks, some of which last several hours and are characterised by high volumes of up to 200Gbps,” said Link11. “To achieve these attack bandwidths, the perpetrators use reflection amplification vectors such as DNS. If the demands are not met, the contacted company is threatened with massive high-volume attacks of up to 2Tbps.”

The victim organisation is given seven days to transfer the Bitcoins to a specific Bitcoin wallet. The email also reportedly states that the ransom would increase to 4 Bitcoin with the passing of the payment deadline and increase by another Bitcoin with each additional day.

Sometimes, the announced attacks fail to materialise after the expiration of the ultimatum. In other cases, DDoS attacks cause considerable disruption to the targeted companies.

Pandemic vulnerability

And it seems that the new wave of extortion is hitting many companies when a large part of the staff is still organised via remote working because of the Coronavirus pandemic.

“The rapid digitisation that many companies have gone through in the past pandemic months is often not yet 100 percent secured against attacks,” noted Marc Wilczek, managing director of Link11.

“The surfaces for cyber attacks have risen sharply, and IT has not been sufficiently strengthened. Perpetrators know how to exploit these still open flanks with perfect precision,” Wilczek added.

Link11 advises organisations confronting a DDoS extortion attempt to proactively activate their DDoS protection systems and not respond to the extortion under any circumstances.

LSOC also advises attacked companies to file a report with law enforcement authorities. The National Cyber Security Centers are the best place to turn to for assistance and advice.