A Three-Episode DDoS Ransom Attack Prologue


This post is also available in: French German Italian Portuguese (Brazil) Spanish Russian

DDoS attacks are becoming a part of ransom attacks. Instead of infiltrating secure organizational assets, attackers are launching devastating DDoS attacks to demonstrate their capabilities and demand ransom money. Understanding the ransom DDoS threat is essential to building an effective mitigation plan.

Our story begins in August of 2020, and continues for over a year with three episodes. Here they are:

Episode I

In August 2020, we witnessed the first wave of cyber extortion attacks, where the ‘Lazarus group’ was targeting finance, travel and e-commerce organizations by sending them a ransom email, requesting companies to pay 10 bitcoins (which was about $100,000). A few hours after receiving the message, organizations were hit by DDoS attacks exceeding 200Gbps lasting over nine hours, causing severe service disruption.

In their letters (see below), the extortionists gave their victims seven days to buy the bitcoin and pay the ransom before deploying their DDoS attacks.  However every day of delay increased the ransom by 1 bitcoin.

Fancy Lazarus extortion letter
Sample image of a letter Fancy Lazarus sent to its targets.

[Like this post? Subscribe now to get the latest Radware content in your inbox weekly plus exclusive access to Radware’s Premium Content. ]

Episode II

In January 2021 we saw a second extortion wave. The cyber criminals sent new extortion emails stating, “Maybe you forgot us, but we didn’t forget you. We were busy working on more profitable projects, but now we are back.” This time they asked for 5 bitcoin, (Bitcoin value exceeded $30,000).

The lesson is clear, do not pay the ransom! If you do pay, you will be targeted again and again… and so it continues.

Episode III

Starting June 2021, a new wave of cyber extortion campaigns began targeting all sectors, starting with Danish and Irish ISPs and CSPs. The group modified its name to ‘Fancy Lazarus’. The ransom was much smaller and varying by victim between ₿0.5 (US$18,500), ₿2 (US$75,000) and ₿5 (US$185,000) – they adapted the ransom demand to the company size – subsequent attacks were up to 200Gbps.

As DDoS attacks have evolved, we have seen new tactics where the attackers were hunting for unprotected assets, including public cloud assets, attacking DNS services and saturating links. This  demonstrates that the attackers were getting ready in advance by learning their victims’ weak spots.

Reports from victims impacted by follow-through attacks of this extortion campaign confirm that most were relying on their ISP or CSP to defend against DDoS threats. However, they were not prepared for large scale DDoS attacks with varying attack vectors including application DDoS attacks.

Read: Hacker’s Almanac: a field guide to understanding the tactics, techniques and attack vectors used by cybercriminals


Please enter your comment!
Please enter your name here