By Mike Kun, Manager, Akamai SIRT
Extortion attacks have risen since DD4BC kicked things off last year. DD4BC peaked in July and the Armada Collective took over after that, sending out emails threatening attacks unless the victim(s) made ransom payments in bitcoins.
The most recent round involved many ransom demand letters, but, as far as many observers can tell, very little follow through.
Now we have Lizard Squad, or at least, someone claiming to be that group, spamming over 70 Akamai customers with identical ransom demands, all of which seemed to be copied from the Armada Collective emails.
Understandably, many worried about the possibility of attacks. But based on the current evidence, this is a spam campaign of threats without follow-through. In fact, these groups appear to have less punch than the Nigerian 419 spam that gets filtered out of the average inbox every morning.
Let's review the particulars:
1: Identical Bitcoin wallets
The latest round of threats all give the same Bitcoin address. This means the attackers don't have any way of differentiating who pays the protection money. No one is buying protection by sending bitcoin, you're merely enriching the extortionists who may or may not attack you anyway.
2: Weak threats
As noted, more than 70 Akamai customers have been threatened, and it's likely that many other companies received the same threat. This is a highly irregular number of targets to try to threaten with attacks all on the same day. Based on our past experience, there is almost no way that an attacker could take down such a huge number of sites.
Since they can't tell who, if anyone, has paid the ransom, the likelihood of any target being attacked is the same whether they paid or not. At least one mailing campaign is trying to get around this by not giving an attack date. They will simply attack *at some point* if you don't pay.
Recipients of these threats should not panic, since to date these attempts have been nothing but a cash grab.
Groups are riding on the coattails of a legitimate actor group that has actually launched attacks and are trying to scare people into paying a fee for nothing more than a strongly-worded email.
If your organization does get one of these letters, we suggest the following response:
1: Don't panic
2: Don't pay
3: Check your defenses. Make sure you know how to contact your cloud security providers and that your on-premises systems are up to date.
4: Assess the risk. In many cases we are seeing groups claiming to be well-known attack groups (Anonymous or Lizard Squad) and demanding a ransom. Since anyone can make these claims, they are impossible to validate. Non-specific demands are a hallmark of a hoax, or a lazy attacker.
As more companies are made aware that groups like these are playing on fear, hopefully these types of messages will get the same kind of respect that Viagra spam and 419 scams do.