​Cybercriminals are impersonating ‘Fancy Bear APT’ to launch DDoS ransom attacks against financial institutions

• Researchers noted that the ransom letter used in this campaign is almost similar to the one used in 2017 by another DDoS ransom gang that also posed as the Fancy Bear group.
• Apart from financial companies, these DDoS ransom attacks were also observed to be targeted against companies in the entertainment and retail sector.

What’s the matter?

Researchers have observed several‘Ransom Denial-of-Service’ (RDOS) attacks launched against financial institutions over the past week.

Why it matters?

These DDoS attacks were found to be carried out by cybercriminals impersonating the infamous Russian APT group ‘Fancy Bear’.

The big picture

A researcher from Radware, Daniel Smith, noted that the attackers are launching large scale, multi-vector demo DDoS attacks against companies in the financial sector and are sending ransom letters to the victims. Smith added that the fake Fancy Bear group threatens the companies with a follow-up attack if they do not make the payment within a week.

“The victims are threatened with a follow-up DDoS attack if they do not make a payment in bitcoin within a week. At the moment, no follow-up attacks have been observed,” Smith told ZDNet.

Another researcher from Link11, Thomas Pohle, confirmed the same, adding that the purpose of these demo attacks is to trick victims into paying the ransom demand.

• Pohle noted that these DDoS attacks are a mixture of different protocols, such as DNS, NTP, CLDAP, ARMS, and WS-Discovery.
• The Link11 researchers added that these are targeted attacks, wherein the extortionists analyze and choose their targets in advance.
• These attacks are not targeted against the financial companies’ public website, but against their backend servers.

Contents of the ransom letter

The ransom letter sent to victims threatens that a DDoS attack will be launched in XX days. The letter goes to to say that a harmless demo attack will be launched now that will last for 30 minutes. In order to avoid this attack, it asks for a ransom payment of 2 bitcoin, which is worth $15,000.

Worth noting

• Researchers noted that the ransom letter used in this campaign is almost similar to the one used in 2017 by another DDoS ransom gang that also posed as the Fancy Bear group.
• This fake Fancy Bear group is reported to own an actual DDoS botnet.
• Apart from financial companies, these DDoS ransom attacks were also observed to be targeted against companies in the entertainment and retail sector.