Frankfurt, June 2nd 2016 – „We are the Kadyrovtsy and we have chosen your company as target for our next DDoS attack.” With these words a new DDoS extortion wave begun on May 26th. Under the alias “Kadyrovtsy”, perpetrators already known in Europe have started to blackmail banks and online marketing agencies demanding a ransom of 15 Bitcoins (around 5.500£, as of June 2nd 2016). The mail demands all have a Bitcoin address linked to the victim. The businesses have around 4 to 5 days to comply.
Contrary to the behavior of most DDoS copycats in recent weeks and months Kadyrovtsy does not just stick to sending out extortion mails. These perpetrators back the seriousness of their demands with warning attacks between 50 and 90 Gbps. The demonstration attacks last up to an hour and according to the LSOC results in downtimes for unprotected targets. Kadyrovtsy relies on ICMP Floods and DNS Reflection techniques. The LSOC believes that the perpetrators have access to enough resources to attack more targets at once.
The DDoS extorters are operating in Europe since the end of April. Their name resembles the paramilitary units that have fought under the pro-Russian Chechen President Akhmad Kadyrow. Just as if it were war, the cybercriminals have expanded their operations to more European countries since the end of April. According to the BSI, the group has already blackmailed US businesses as well:
April 22nd 2016: Kadyrovtsy pressures a British financial businesses with a 90 Gbps volume attack. In their weekly update mail the CERT UK warns about the perpetrators.
May 7th / 8th 2016: Beginning May Kadyrovtsy starts an extortion wave against the largest banks in Poland. The Pekao Bank is one of the victims. Specialized media reports on warning attacks with peak bandwidths between 10 and 50 Gbps.
May 19th 2016: A Dutch payment service provider receives an extortion mail and suffers a warning attack.
Since May 26th 2016: Kadyrovtsy is now targeting businesses in Germany and backs their demands with high-volume DDoS attacks.
Their style of operation and their language skills have changed since the emergence of the DDoS extorters in April. The LSOC has identified some of the most important differences:
Onur Cengiz, Head of LSOC, suggests that the extortions by Kadyrovtsy should be taken serious. “Since March there have been a few extortion waves. But contrary to recent developments with groups like RedDoor and caremini, Kadyrovtsy does get the attention with the sudden executed high-volume attacks. Only a few businesses are capable of defending attacks with 50 Gbps or more themselves.” Cengiz recommends: “You should proactively initiate your DDoS protection systems! IF they are not laid out to protect against volume attacks, please inform yourself how you can increase your protection bandwidth in short notice. React immediately if extraordinary events and network anomalies occur!”
The LSOC suggests affected businesses not to give in to the extortions and rather to notify the authorities.