Security experts are warning of a new global DDoS-related extortion campaign targeting businesses operating in the e-commerce, finance and travel sectors.
Radware said it had been tracking the threat actors since mid-August, with victims in North America, APAC and EMEA. Emails are typically delivered claiming to come from state-sponsored groups such as Fancy Bear and Lazarus Group, as well as the “Armada Collective.”
The latter group has been linked to similar extortion emails sent in previous years.
The ransom emails threaten to launch DDoS attacks against the recipient organization of over 2Tbps, if payment of anywhere between 10 and 20BTC ($113,000-226,000) is not made. They also threaten to increase the ransom by 10BTC for each deadline missed.
Also included in the messages are the Autonomous System Numbers (ASNs) or IP addresses of servers or services that the group says it will target if their demands are not met.
“In follow-up messages, threat actors underscore that the unique Bitcoin address from the initial letter is still empty and reiterate the seriousness of the threat. They also provide keywords and organization names so the target organization can search for recent DDoS disruptions, followed by the rhetorical question ‘You don’t want to be like them, do you?’,” Radware explained.
“In many cases the ransom threat is followed by cyber-attacks ranging from 50Gbps to 200Gbps. The attack vectors include UDP and UDP-Frag floods, some leveraging WS-Discovery amplification, combined with TCP SYN, TCP out-of-state, and ICMP Floods.”
Recipients of the emails were urged not to pay the ransom.
At the same time, Radware claimed to have observed multiple European ISPs being hit by DNS DDoS attacks since last week, although there’s no obvious link to the ransom campaign.
A group using the name “Armada Collective” tried a similar ransom ploy back in 2016, when Cloudflare claimed that it had heard from 100 customers who had received extortion threats and demands for payment of 10-50BTC.
