Corporations around the globe – which includes Travelex – have been sent letters threatening to start DDoS attacks on their network unless of course a $230K ransom is paid.
Organizations throughout the world have continued to get extortion e-mails threatening to launch a distributed denial-of-service (DDoS) attack on their network, except they spend up – with British overseas-exchange organization Travelex reportedly getting just one new superior-profile risk receiver.
Researchers reported that since mid-August, many providers have been despatched email messages that warn that their business network will be hit by a DDoS attack in about a 7 days. The original ransom demand from customers is set at 20 BTC – which translates to about $230,000 at the time of composing – and cybercriminals threaten to boost that ransom by 10 BTC for each individual working day not paid, explained scientists.
Though a significant amount of activity was 1st tracked in August, that exercise then slowed down in the initially 50 percent of September – only to “grow significantly” in the conclude of September and beginning of October, Radware researchers explained to Threatpost.
Travelex (which has gone through its fair share of security woes more than the past 12 months, commencing with a New Year’s ransomware attack) was one these kinds of org threatened with a DDoS attack, unless it compensated 20 bitcoins (BTC), Intel471 researchers reported on Tuesday. A bitcoin wallet handle in the email reveals that Travelex did not shell out the attackers at any issue, they mentioned.
“Following the extortion email, the risk actor performed a volumetric attack on a custom port of 4 IP addresses serving the company’s subdomains,” in accordance to Intel471 scientists. “Two times later on, the attackers carried out another DNS amplification attack against Travelex applying Google DNS servers.”
Threatpost has arrived at out to Travelex for even further remark on the DDoS extortion menace.
Ongoing DDoS Extortion Threats
Although the ransom DDoS marketing campaign has been ongoing because August and has acquired popular protection, scientists with Radware claimed in a Wednesday put up that they are continuing to see businesses throughout the world get the extortion email messages – and that attackers are becoming far more refined.
“There is no way to communicate with the blackmailers, so there is no selection to negotiate and the only way to get a information as a result of is by sending BTC to the bitcoin handle talked about in the letter,” researchers claimed.
The extortion email messages assert that the menace group has by now launched a tiny DDoS attack on the victim’s IPs (of the ASN selection pointed out in the letter) to give the threat legitimacy. The attackers also claim that they have the means to complete volumetric assaults that peak at 2Tbps – pretty much reaching the degrees of the 2.3Tbps attack concentrating on an Amazon Web Expert services customer in February that was the biggest volumetric DDoS attack on history.
“These threats are not hoaxes, and the actors have followed up with attacks,” Pascal Geenens, director of risk intelligence at Radware, told Threatpost. “While we have not observed the 2TBps attack threatened in the letter provided the report, businesses have seen assaults ranging up to 300GBps and combining several attack vectors. These assaults can be devastating for a lot of businesses.”
Of note, the extortion threats were sent to generic email addresses within just the companies, which did not often access the correct particular person in the firm – and were being even often received by subsidiaries of companies in the mistaken state. Having said that, while previously iterations of the ransom note were elementary, scientists noticed the menace actor increasing their sophistication.
“The letters have been improved considering the fact that the start off of the marketing campaign by correcting some typos, rephrasing some steps for greater clarity, and push protection of before DDoS attacks that impacted financial corporations has been additional to instill a lot more panic,” claimed researchers.
The threat actor purports to be several APTs, posing as Extravagant Bear, Armada Collective and Lazarus Team. The actors appear to be to have a preference of APT based on the vertical they are striving to influence to pay back a ransom: The cybercriminals purport to be Lazarus Team when concentrating on monetary companies, (this kind of as in Travelex’s scenario, for instance), although they pretend to be Fancy Bear when targeting technology and production orgs.
Nevertheless, researchers pointed to discrepencies that display that the danger actors are basically posing as these APTs as opposed to getting the actual deal: “Based on what we know about the conventional ways, procedures and processes of these APT teams, the threat action that we are seeing does not match up,” Geenens explained to Threatpost. “Attribution is generally guesswork, and it is unattainable to make an complete assertion one particular way or one more. Even if an APT group were being to admit to these threats, it would be unattainable to confirm whether or not they are even telling the fact.”
It’s really worth noting that these ransom threats are absolutely nothing new. In 2019, cybercriminals posing as Fancy Bear launched DDoS attacks against organizations in the financial sector and demanded ransom payments. And back in 2016, a group (who also referred to as by themselves the Armada Collective) sent extortion e-mail to different online businesses threatening to launch DDoS assaults if they weren’t paid out in Bitcoin. All the way again in 2015, the FBI reported that it was viewing an maximize in the variety of corporations staying qualified by scammers threatening to launch DDoS assaults if they really do not pay a ransom.
In their ransom letters, attackers assert there are no counter-steps to defend in opposition to their attacks. Scientists reported this is not the case, and suggested corporations to not pay the ransom desire: “There is no warranty blackmailers will honor the phrases of their letter,” they said. “Paying only funds future operations, enables them to increase their abilities and motivates them to continue on the marketing campaign.”
Some pieces of this report are sourced from: