DDoS extortion campaign targets financial firms,
retailers
The extortionists attempt
to scare the targets into paying by claiming to represent some of the world’s
most notorious APT groups
The attackers have been
targeting organizations operating in various industries, notably finance,
travel, and e-commerce. However, they don’t seem to be targeting any specific
region, as ransom letters have been sent to organizations residing in the
United Kingdom, the United States and the Asia-Pacific region.
According to ZDNet, the group is also behind a string of attacks
against MoneyGram, YesBank, Braintree, Venmo, and most recently also the New
Zealand stock exchange, which has been forced to stop its trading for three
days running.
The ransom note discloses
specific assets at the victim company that will be targeted by a ‘test attack’
to demonstrate the seriousness of the threat. Akamai, which has been tracking the attacks, has recorded some of the DDoS attacks reaching
almost 200 Gb per second, while previously an attack targeting one of its
customers was recorded coming in at ‘only’ 50 Gb per second.
As part of their scare
tactics, the cybercriminals take up the guise of notorious hacking groups, to
wit Sednit, also known as Fancy Bear, and Armada Collective. The activities of
the former group have been the subject of extensive ESET research.
The extortionists contact
their victims with an email, warning them of a looming DDoS attack unless they
pay the demanded ransom in Bitcoin within a specified timeframe. The fee varies
based on the group they are impersonating and ranges from 5 BTC (some
US$57,000) to 20 BTC (US$227,000) with the prices increasing if the deadline is
missed.
The attackers ramp up their
intimidation tactics further by describing the possible consequences: “…your
websites and other connected services will be unavailable for everyone. Please
also note that this will severely damage your reputation among your customers.
[…] We will completely destroy your reputation and make sure your services will
remain offline until you pay. (sic)” reads a ransom note excerpt
published by Akamai.
RELATED
READING: Spammed‑out emails threaten
websites with DDoS attack on September 30th
Indeed, reputational damage
combined with downtime could cost the targeted companies millions in lost revenue. However, even if the targeted organizations would
consider paying the ransom, there is no guarantee that the black hats would
cease their attacks; a quick payday may even encourage them to target other
companies as well.
DDoS attacks, including
those accompanied by extortion, have been around for years, and ESET Security
Specialist Jake Moore notes that organizations shouldn’t underestimate the
threat.
“These gangs will continue
to cause havoc by directing massive volumes of traffic to a website, either to
send a message or test the site’s defenses in preparation for further attacks.
It’s clear that we should never take this threat too lightly and need to start
protecting now for even stronger DDoS bombs,” he said.