Adversaries calling themselves the Lizard Squad have been sending businesses extortion letters, demanding payment in bitcoin to prevent a Distributed Denial of Service (DDoS) or other attack against their applications. These letters have been sent to businesses across the globe and across industries for several years, with little follow-through. These letters appear to come from multiple groups including Lizard Squad, the Armada Collective, and DD4BC, though in many case they are from copy-cat or imposter groups. A new wave of these letters seen by Akamai customers from "Lizard Squad" raise concerns that these threats may be legitimate.
Akamai is aware of, and is researching, these letters, but in our experience the majority of these threats have not been followed up on. Akamai's Security Intelligence Response Team (SIRT) published a post detailing the low ratio of threats:attacks and issued this advisory sharing common extortion letter examples and detailing the frequent overlap in Bitcoin wallets, requested Bitcoin amounts, attack start dates, and other characteristics. These are indications that the letters are being mailed in bulk, rather than tuned specifically for individual businesses; if these letters are mailed in bulk, the adversaries may not be able to tell from whom they have or have not received payment.
Following are steps we recommend for customers who are concerned about attacks originating from these extortionists.
Steps to protect your organization against extortion attacks
- Do not panic. Akamai recommends not making ransom payments; there is no guarantee the attack will arrive or that the payment would prevent it.
- Ensure that your systems are patched and in good working order; many of these letters imply that system vulnerabilities or compromises have been found. If your systems are up-to-date, it is easier to reassure your business that you're safe.
- Ensure that your organization's operations are well documented and that internal stakeholders and subject matter experts are available and ready to respond should an attack occur. Awareness of your organization's policies, processes, and procedures are invaluable for dealing with this threat.
- For businesses using Kona Site Defender: ensure that rate controls are properly tuned and in deny mode; this will limit requests from IP addresses in case of an attack; also double-check your Site Shield settings to lock down your origin, if applicable.
- For customers using Prolexic services, verify that routing procedures and runbooks are up-to-date; this will ensure that your inbound traffic can be scrubbed in the case of an attack.
- For organizations not currently using Akamai security services, please have Akamai's DDoS hotline at the ready (+1 (954) 620 6005) in case of attack.
- Review attack statistics and analyses from Akamai's latest State of the Internet Security reports to understand the scale, range, and complexity of threats to applications and digital properties. While the Lizard Stresser tool has primarily leveraged simple DoS attacks like UDP floods, many other types of attack are possible.
- Stay tuned for further research from Akamai as we investigate new bitcoin wallets, email addresses, and other details from these letters to further analyze the risks posed to extorted organizations.