Global DDoS extortion campaign targets financial firms

Over the last few weeks, a cybercrime group has been extorting various organizations all over the world by threatening to launch distributed denial-of-service (DDoS) attacks against them unless they pay thousands of dollars in Bitcoin.

The attackers have been targeting organizations operating in various industries, notably finance, travel, and e-commerce. However, they don’t seem to be targeting any specific region, as ransom letters have been sent to organizations residing in the United Kingdom, the United States and the Asia-Pacific region.

According to ZDNet, the group is also behind a string of attacks against MoneyGram, YesBank, Braintree, Venmo, and most recently also the New Zealand stock exchange, which has been forced to stop its trading for three days running.

The ransom note discloses specific assets at the victim company that will be targeted by a ‘test attack' to demonstrate the seriousness of the threat. Akamai, which has been tracking the attacks, has recorded some of the DDoS attacks reaching almost 200 Gb per second, while previously an attack targeting one of its customers was recorded coming in at ‘only’ 50 Gb per second.

As part of their scare tactics, the cybercriminals take up the guise of notorious hacking groups, to wit Sednit, also known as Fancy Bear, and Armada Collective. The activities of the former group have been the subject of extensive ESET research.

The extortionists contact their victims with an email, warning them of a looming DDoS attack unless they pay the demanded ransom in Bitcoin within a specified timeframe. The fee varies based on the group they are impersonating and ranges from 5 BTC (some US$57,000) to 20 BTC (US$227,000) with the prices increasing if the deadline is missed.

The attackers ramp up their intimidation tactics further by describing the possible consequences: "...your websites and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation among your customers. [...] We will completely destroy your reputation and make sure your services will remain offline until you pay. (sic)" reads a ransom note excerpt published by Akamai.

Indeed, reputational damage combined with downtime could cost the targeted companies millions in lost revenue. However, even if the targeted organizations would consider paying the ransom, there is no guarantee that the black hats would cease their attacks; a quick payday may even encourage them to target other companies as well.

DDoS attacks, including those accompanied by extortion, have been around for years, and ESET Security Specialist Jake Moore notes that organizations shouldn’t underestimate the threat.

“These gangs will continue to cause havoc by directing massive volumes of traffic to a website, either to send a message or test the site’s defenses in preparation for further attacks. It’s clear that we should never take this threat too lightly and need to start protecting now for even stronger DDoS bombs,” he said.