17 Jun 2021
Story image

Warning: Fancy Lazarus DDoS extortion group resurfaces

By Shannon Williams

The Fancy Lazarus DDoS extortion group is back with new a campaign focused on unprotected assets across all industries, according to cyber security firm Radware.

Radware published a cybersecurity alert warning that Fancy Lazarus, a well-known distributed denial of service extortionist, has resurfaced with a new campaign focused on organisations with unprotected assets across all sizes of companies in all industries. 

Less than a year ago, a Ransom DDoS threat actor posing as 'Fancy Bear' and 'Lazarus Group' was targeting specific industries such as finance, travel and e-commerce organisations and was blind to whether these organisations had DDoS protection or not. 

This earlier campaign turned out to be one of the most extensive and longest-running DDoS extortion campaigns in history. 

Lately, Radware has identified an increase in emergency onboardings from new customers that have had DDoS ransomware threats.

In recent weeks, Radware has been monitoring an increase of activity from a threat actor calling himself Fancy Lazarus targeting organisations with assets that were supposedly not adequately protected and inviting them to pay a ransom rather than endure devastating DDoS attacks.

In their letters, the extortionists give their victims seven days to buy the Bitcoin and pay the ransom before they start their DDoS attacks. Each day after the deadline passes without payment increases the fee. The ransom demand varies between targets and seems to be adjusted to a target's reputation and size. 

The ransom demand is also less expansive compared to the huge demands of 10 and 20 bitcoin (currently, about $370,000 and $740,000) witnessed from last summer's campaigns. Demands now generally vary between 0.5 Bitcoins ($18,500) and five Bitcoins ($185,000) and increase by the same amounts for every day the deadline is missed. 

"This is the first time we are seeing the bad actors selectively target organisations and favour those with unprotected assets for their ransom letters," says Pascal Geenens, director of threat intelligence, Radware. 

"This implies that malicious actors are leveraging Border Gateway Protocol routing information to detect whether targets are protected by always-on cloud protection services," he says.

In addition, we're seeing that ransom DDoS, which traditionally was an event limited in time with yearly spikes, is now becoming a persistent threat, and should be considered an integral part of the DDoS threat landscape." 

Reports from victims impacted by follow-through attacks of this extortion campaign confirm this observation. Most Internet Service Providers and Cloud Service Provider victims were equipped with DDoS mitigation services to protect their customers. However, it appears that not all of them were prepared for large, globally distributed attacks targeting their DNS servers or saturating their internet links. 

Very large and globally distributed DDoS attacks can be effectively mitigated only by stopping malicious traffic closest to its source and never allowing multiple geographically distributed traffic streams to flock. Only globally distributed and anycasted protection services are effective against these kinds of DDoS attacks. 

"The recent uptick in criminal activity should be a strong reminder to enterprises, ISPs and CSPs of any size and industry to assess the protection of their essential services and internet connections and plan against globally distributed DDoS attacks aimed at saturating links," says Geenens.

"This is especially in the case of service providers and their DNS services. We believe hybrid DDoS solutions provide the best of both worlds with on-premises protection against all types of DDoS attacks while automatically diverting to a cloud DDoS Service when the attack risks saturating the internet link." 

Recent stories
More stories