Akamai Diversity

Akamai Security Intelligence
& Threat Research

Ransom Demands Return: New DDoS Extortion Threats From Old Actors Targeting Finance and Retail

Update 08/24/2020

As mentioned below, the Akamai SIRT has been tracking attacks from the so-called Armada Collective and Fancy Bear actors, who are sending ransom letters to various industry verticals such as finance, travel, and e-commerce. 

In addition to the information in our previous advisory, we can confirm that we're now seeing attacks peak at almost 200 Gb/sec, utilizing ARMS, DNS Flood, GRE Protocol Flood, SNMP Flood, SYN Flood, and WSDiscovery Flood attacks as their main vectors. We've not seen a specific region being targeted as a result of these extortion attacks. There are institutions that reside in the UK, US, and APAC region who have received ransom letters.  

At this time, we are not aware of any instances where the threatened follow-up attack was initiated once the ransom demand deadline passed. Consequently, the lesson here is that regardless of whether or not the targeted organization pays the ransom demand or not, the outcome remains the same. As such, Akamai still encourages those targeted by these demands to not pay the ransom. 

Likewise, we still believe that the actors conducting these extortion attacks are looking for a quick payout, with as little effort as possible on their part.

 

ORIGNAL BLOG POST 8/17/2020

TL;DR: 

Akamai is aware of new threats being made by those claiming to be Fancy Bear and Armada Collective. They are currently targeting multiple sectors, including banking and finance, as well as retail. Akamai continues to monitor these malicious activities and will continue to protect customers from attacks.

Overview: 

Akamai's Security Intelligence Research Team (SIRT) has been investigating a series of recent DDoS attacks targeting businesses across multiple sectors within the last week or so. The extortion demands are similar to those used by DDoS ransom groups in the past.

 

The letters: 

The initial contact starts with a threatening email, warning of an impending DDoS attack against their company unless a ransom is paid in Bitcoin. The wording of the extortion letters is very similar to the letters published in the media during past campaigns and similar to the last DDoS extortion campaign Akamai documented back in November 2019.

In some cases, the letters warn that if the existence of the extortion demand is disclosed publicly (i.e. released to the media), then the threatened attack will begin immediately.

"If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time. (sic)" - Armada Collective

The extortion letters also focus on reputation, warning that the pending attacks will do more than just harm infrastructure.

"...your websites and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation among your customers. [...] We will completely destroy your reputation and make sure your services will remain offline until you pay. (sic)" - Fancy Bear

 

Payments: 

In the extortion demands from Armada Collective seen by Akamai, the ransom starts at 5 BTC and increases to 10 BTC if the deadline is missed, with a 5 BTC increase for each day thereafter. Fancy Bear on the other hand, starts at 20 BTC, and increases to 30 BTC if the deadline is missed, with an additional 10 BTC for each additional day.

While most extortion demands of this type typically follow a set amount when it comes to ransom demands, the financial elements are subject to change based on the whims of the threat actors themselves.

Active attacks:

The letters identify targeted assets at the victim's organization and promise a small "test" attack to prove the seriousness of the situation. Some of the ransom letters claim the threat actors have the power to unleash a DDoS attack of up to 2Tbps. 

We are aware that a 50 Gb/sec attack targeted a customer on Akamai's network. The traffic consisted of a UDP-based, ARMS protocol reflection attack; the number of reflectors used is unknown at this time.

The Akamai SIRT suspects the extortion demands are originating from copycats using the reputation of known attack groups as a means of intimidation in order to expedite payment.

Should your organization receive an extortion letter, Akamai recommends that the ransom not be paid, as there is no guarantee the attacks will end. Moreover, paying ransom demands will only further finance the group perpetrating them.

Customers: What you can do

The Akamai Security Operations Center is open 24/7, and our vast cloud-based mitigation platform is ready to respond to these threats. However, there are some proactive steps you can take:

  • Review your playbook with IT and security staff to ensure you are prepared and know what to do in the event of an attack.

  • Ensure all critical staff is available - if staff are on vacation or absent due to sickness, make sure their responsibilities are covered by others.

  • Stay in close contact with the Akamai SOC. 

  • Check the Akamai Community Security page for updates: https://community.akamai.com/community/security-research-and-intelligence