Ransom Demands Return: New DDoS Extortion Threats From Old Actors Targeting Finance and Retail

As mentioned below, the Akamai SIRT has been tracking attacks from the so-called Armada Collective and Fancy Bear actors, who are sending ransom letters to various industry verticals such as finance, travel, and e-commerce. 

In addition to the information in our previous advisory, we can confirm that we're now seeing attacks peak at almost 200 Gb/sec, utilizing ARMS, DNS Flood, GRE Protocol Flood, SNMP Flood, SYN Flood, and WSDiscovery Flood attacks as their main vectors. We've not seen a specific region being targeted as a result of these extortion attacks. There are institutions that reside in the UK, US, and APAC region who have received ransom letters.  

At this time, we are not aware of any instances where the threatened follow-up attack was initiated once the ransom demand deadline passed. Consequently, the lesson here is that regardless of whether or not the targeted organization pays the ransom demand or not, the outcome remains the same. As such, Akamai still encourages those targeted by these demands to not pay the ransom. 

Likewise, we still believe that the actors conducting these extortion attacks are looking for a quick payout, with as little effort as possible on their part.

Akamai's Security Intelligence Research Team (SIRT) has been investigating a series of recent DDoS attacks targeting businesses across multiple sectors within the last week or so. The extortion demands are similar to those used by DDoS ransom groups in the past.

The initial contact starts with a threatening email, warning of an impending DDoS attack against their company unless a ransom is paid in Bitcoin. The wording of the extortion letters is very similar to the letters published in the media during past campaigns and similar to the last DDoS extortion campaign Akamai documented back in November 2019.

In some cases, the letters warn that if the existence of the extortion demand is disclosed publicly (i.e. released to the media), then the threatened attack will begin immediately.

In the extortion demands from Armada Collective seen by Akamai, the ransom starts at 5 BTC and increases to 10 BTC if the deadline is missed, with a 5 BTC increase for each day thereafter. Fancy Bear on the other hand, starts at 20 BTC, and increases to 30 BTC if the deadline is missed, with an additional 10 BTC for each additional day.

While most extortion demands of this type typically follow a set amount when it comes to ransom demands, the financial elements are subject to change based on the whims of the threat actors themselves.

The letters identify targeted assets at the victim's organization and promise a small "test" attack to prove the seriousness of the situation. Some of the ransom letters claim the threat actors have the power to unleash a DDoS attack of up to 2Tbps. 

We are aware that a 50 Gb/sec attack targeted a customer on Akamai's network. The traffic consisted of a UDP-based, ARMS protocol reflection attack; the number of reflectors used is unknown at this time.

The Akamai SIRT suspects the extortion demands are originating from copycats using the reputation of known attack groups as a means of intimidation in order to expedite payment.

Should your organization receive an extortion letter, Akamai recommends that the ransom not be paid, as there is no guarantee the attacks will end. Moreover, paying ransom demands will only further finance the group perpetrating them.