- Published: Friday, 04 September 2020 07:44
Since the middle of August, Radware has been tracking several extortion requests from threat actors. Letters are being delivered via email and typically contain victim-specific data such as Autonomous System Numbers (ASN) or IP addresses of servers or services they will target if demands are not fulfilled. It is a global campaign with threats reported from organizations in finance, travel and e-commerce in APAC, EMEA and North America.
The ransom fee is initially set at 10 BTC, which is equivalent to approximately $113,000. Some fees are set as high as 20 BTC (approximately $226,000).
Ransom letters threaten cyber attacks of over 2Tbps if payment is not made. To prove the letter is not a hoax, authors indicate when they will launch a demonstration attack.
The letter indicates that if payment is not made prior to the deadline, the attack will continue and the fee will increase by 10 BTC (approximately $113,000) for each missed deadline. Each letter contains a Bitcoin wallet address for payment. The wallet address is unique for each target and allows the actor to track payments.
Radware has evidence of malicious actors following up on their initial demand. In follow up messages, threat actors underscore that the unique Bitcoin address from the initial letter is still empty and reiterate the seriousness of the threat. They also provide keywords and organization names so the target organization can search for recent DDoS disruptions, followed by the rhetorical question “You don’t want to be like them, do you?”
The threat actors state they prefer payment over attack and allow the target to reconsider paying. The threat actor will often extend the deadline by one day.
In many cases the ransom threat Is followed by cyber attacks ranging from 50Gbps to 200Gbps. The attack vectors include UDP and UDP-Frag floods, some leveraging WS-Discovery amplification, combined with TCP SYN, TCP out-of-state, and ICMP Floods.
Threats should be taken seriously says Radware, as letters are often followed by DDoS attacks.
More details (PDF).