Fancy Bear extortion emails demand Bitcoin transfers and threaten lengthy, high-volume attacks over 2,000 Gbps, with critical infrastructure providers targeted most
Link11, European leader in cyber-resilience, is warning of a rise in DDoS extortion and large-scale DDoS attacks carried out by blackmailers under the alias ‘Fancy Bear.’
Since the 12th August, companies have been receiving extortion emails from a sender under the name of ‘Fancy Bear.’ These emails have included the subject line: ‘DDoS attacks on your network.’ In the email the perpetrators have been demanding 15 Bitcoins, which, as of August 19th, is worth almost 150,000 Euros. Based on findings from the Link11 Security Operations Center (LSOC), the blackmail has been targeted at companies across various industries, although operators of critical infrastructures seem to be increasingly targeted.
This corresponds to the assessment made by the World Economic Forum (WEF), which in its Global Risk Report 2020, found cyberattacks on critical infrastructures operators to be one of the top five global risks, calling them a “new normality”.
In October 2019, the ‘Fancy Bear’ blackmailers threatened DDoS attacks to put pressure on companies in order to obtain Bitcoins. The blackmail emails from last autumn and those from the current wave are largely identical in text. The Bitcoin addresses have been changed so the attackers can check who has paid. According to the email, targeted companies have seven days to transfer the Bitcoins.
To stress the seriousness of their demands, the blackmailers have been launching warning attacks, which have been characterized by very high bandwidths and a long-lasting, high intensity. According to the attackers, however, these are only intended to provide a warning of what is to come if the ransom is not paid. If no Bitcoins are transferred, they threaten attacks of over 2,000 Gbps.
Attacks that were successfully fended off by LSOC for critical infrastructure providers reached several hundred Gbps and lasted several hours. The attacks were based on UPD Floods, TCP Floods and SYN Floods. To increase the attack volume, the perpetrators relied on the Reflection Amplification vectors WS Discovery, DNS, and Apple Remote Control.
In view of the aggressive nature of these perpetrators, organizations need to take these threats seriously. As soon as they receive an extortion email, they should proactively activate their DDoS protection solution. If the solution is not designed for high volume attacks of several hundred Gbps and more, it is important to find out how the company-specific protection bandwidth can be increased in the short term.
It is also important that targeted companies do not respond to the blackmail and instead report the attack to the national or local law enforcement authorities.