Network Security, Threat Management

What to do about the new wave of DDoS extortion attacks

While last summer’s attack on the New Zealand Stock Exchange was one of the most high-profile cases, today’s columnist, Pascal Geenens of Radware, says DDoS extortion groups are still very active.;

In recent weeks, Radware has been seeing a significant increase in distributed denial of service (DDoS) activity in which DDoS extortion groups identify and target organizations with unprotected assets and invite them to pay a ransom rather than endure devastating DDoS attacks. We’ve observed this both when onboarding new vulnerable customers, as well as existing ones that have new, unprotected assets.

This follows earlier reports of several internet service providers (ISPs) and cloud service providers (CSPs) receiving ransom letters followed by DDoS attacks that impacted their services and availability. Going by the name “Fancy Lazarus,” the action radius of the extortion group has been extending to organizations of all sizes across the world and in all verticals. There’s no target that’s too small or too big.

While “Fantasy APT looking for unprotected assets” may sound like a sleazy classified ad, it very much describes the latest tactics employed by DDoS extortionists. Less than a year ago, a malicious actor going by the names “Fancy Bear” and “Lazarus Group” started targeting finance, travel, and e-commerce organizations in what turned out to be one of the most extensive and longest-running DDoS extortion campaigns in history.

Six months ago, we observed an increase in the tactic of circling back to previous DDoS victims to profit from the surge in bitcoin. We noted that ransom DDoS, which traditionally was an event limited in time with yearly spikes, was now becoming a persistent threat, and security teams should consider it an integral part of the DDoS threat landscape. One sentence that consistently appeared in these ransom letters stuck out: “Remember, we never give up.”

The most recent bad actors, calling themselves “Fancy Lazarus,” have been sending ransom letters to ISPs and cloud hosting providers. Likely in an attempt to instill fear in their victims and pressure them to comply with their demands, they’ve created this new super APT moniker, a polynomial consisting of an equal part “Fancy Bear,” the Russian APT, and part “Lazarus,” the North Korean APT.

In their letter, the extortionists give their victims seven days to buy the bitcoin and pay the ransom before they start their DDoS attack. Each day after the deadline passes without payment the fee increases. The ransom demand varies between targets and seemingly gets adjusted based on a target’s reputation and size. The ransom demands have also been scaled back compared to the huge demands of 10 and 20 bitcoins (about $370,000 and $740,000) witnessed from last summer’s campaigns. Demands now generally vary between 0.5 bitcoins ($18,500) and 5 bitcoins ($185,000) and increase by the same amounts every day the deadline was missed.

Reports from victims

Radware’s Cloud Services has seen numerous emergency onboardings in recent weeks from companies that have received a ransom letter. None of the ransom letters mentioned an already protected asset from new or existing customers, so the assumption is that bad actors are specifically targeting unprotected assets and organizations. Malicious actors can leverage Border Gateway Protocol (BGP) routing information to detect targets that are protected by always-on cloud protection services. This routing information is required for the correct functioning of the internet, and tracing the routing hops between any two points on the internet allows anyone to verify if specific targets are protected by anycasted cloud DDoS scrubbing services.

Reports from victims impacted by follow-through attacks of this extortion campaign confirm this observation. Most ISP and CSP victims were equipped with DDoS mitigation services to protect their customers. However, they were not prepared for large, globally distributed attacks, saturating internet links and attacks directed to DNS services.


While it’s adequate to use on-premises or local DDoS detection and mitigation for latency-sensitive services and applications, it only protects local infrastructure against attacks that are below the capacity of the internet links. Once attacks exceed the bandwidth of internet connections, security teams need an upstream solution that block attacks while allowing only legitimate traffic to the organization. Companies can only effectively mitigate very large and globally distributed DDoS attacks by stopping malicious traffic closest to its source and never allowing multiple geographically distributed traffic streams to flock. Only globally distributed and anycasted protection services are effective against these kinds of DDoS attacks.

Cloud DDoS services will introduce latency, often unacceptable for some applications and services when at rest. Hybrid DDoS solutions offer the best of both worlds. They deliver on-premises protection against all types of DDoS attacks while automatically diverting to a cloud DDoS Service when the attack risks saturate the internet link. Although security pros may find additional latency likely while diverted to the cloud, it should not interrupt service. Meanwhile, organizations should not experience latency when they are not under attack.

The recent uptick in criminal activity should serve as a strong reminder to enterprises, ISPs and CSPs of any size and industry — it’s time to assess the protection of their essential internet connections and plan against globally distributed DDoS attacks aimed at saturating links. 

Pascal Geenens, director, threat intelligence, Radware   

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.