DDoS Extorters Kadyrovtsy target German Businesses

  • Fabian Sinner
  • June 2, 2016

Table of content

    DDoS Extorters Kadyrovtsy target German Businesses

    Since the last weekend banks and online marketing agencies in Germany are receiving DDoS extortion mails from Kadyrovtsy. The current situations leads the Link11 Security Operation Center (LSOC) to warn about demonstration attacks reaching bandwidths of far more than 50 Gbps from the perpetrators. So far, the use of such high-volume warning attacks has been more a trait of internationally operating extorters DD4BC and Armada Collective.

    Frankfurt, June 2nd 2016 – „We are the Kadyrovtsy and we have chosen your company as target for our next DDoS attack.” With these words a new DDoS extortion wave begun on May 26th. Under the alias “Kadyrovtsy”, perpetrators already known in Europe have started to blackmail banks and online marketing agencies demanding a ransom of 15 Bitcoins (around 5.500£, as of June 2nd 2016). The mail demands all have a Bitcoin address linked to the victim. The businesses have around 4 to 5 days to comply.

    High-volume warning attacks

    Contrary to the behavior of most DDoS copycats in recent weeks and months Kadyrovtsy does not just stick to sending out extortion mails. These perpetrators back the seriousness of their demands with warning attacks between 50 and 90 Gbps. The demonstration attacks last up to an hour and according to the LSOC results in downtimes for unprotected targets. Kadyrovtsy relies on ICMP Floods and DNS Reflection techniques. The LSOC believes that the perpetrators have access to enough resources to attack more targets at once.

    Kadyrovtsy operates internationally

    The DDoS extorters are operating in Europe since the end of April. Their name resembles the paramilitary units that have fought under the pro-Russian Chechen President Akhmad Kadyrow. Just as if it were war, the cybercriminals have expanded their operations to more European countries since the end of April. According to the BSI, the group has already blackmailed US businesses as well:

    April 22nd 2016: Kadyrovtsy pressures a British financial businesses with a 90 Gbps volume attack. In their weekly update mail the CERT UK warns about the perpetrators.

    May 7th / 8th 2016: Beginning May Kadyrovtsy starts an extortion wave against the largest banks in Poland. The Pekao Bank is one of the victims. Specialized media reports on warning attacks with peak bandwidths between 10 and 50 Gbps.

    May 19th 2016: A Dutch payment service provider receives an extortion mail and suffers a warning attack.

    Since May 26th 2016: Kadyrovtsy is now targeting businesses in Germany and backs their demands with high-volume DDoS attacks.

    Kadyrovtsy’s Approach

    Their style of operation and their language skills have changed since the emergence of the DDoS extorters in April. The LSOC has identified some of the most important differences:

    • The extorters change their email address. But all are registered at the email provider sigaint.org that is well known to be used by cybercriminals.
    • Kadyrovtsy varies the demanded amount of ransom from country to country. It is between 15 and 20 Bitcoins.
    • The attacked businesses now have a few days to wire the ransom on the mentioned Bitcoin account. Ende of April this timeframe still only 24 hours. „if not payed after 24 hours total atackk“ (sic)
    • The extortion mails have different expressions. In those mails known in the UK the demands are rather blunt and written in terrible English: „we dos attack your all total network of not payed 20 bitcoins“ (25.4.2016). In the current ransom demands the wording, grammar and spelling are a lot better: „All of your servers will be subject to a DDoS attack starting at“ (1.6.2016)

    Onur Cengiz, Head of LSOC, suggests that the extortions by Kadyrovtsy should be taken serious. “Since March there have been a few extortion waves. But contrary to recent developments with groups like RedDoor and caremini, Kadyrovtsy does get the attention with the sudden executed high-volume attacks. Only a few businesses are capable of defending attacks with 50 Gbps or more themselves.” Cengiz recommends: “You should proactively initiate your DDoS protection systems! IF they are not laid out to protect against volume attacks, please inform yourself how you can increase your protection bandwidth in short notice. React immediately if extraordinary events and network anomalies occur!”

    The LSOC suggests affected businesses not to give in to the extortions and rather to notify the authorities.

    How cybercriminals use ChatGPT
    Link11 Cloud Security Platform available in Asia Pacific region