Radware recently published a cybersecurity alert, warning users were once again being targeted by DDoS extortionists for a second time by a global ransom DDoS campaign that initially started in August 2020. Organizations received new letter that said, "Maybe you forgot us, but we didn’t forget you. We were busy working on more profitable projects, but now we are back.”
Organizations that received this letter were companies that received threats in August and September of 2020. Analysis of this new wave of ransom letters suggests that the same threat actors from the middle of 2020 are behind these malicious communications.
- Organizations that received these new letters did not respond/pay the ransom demand in the middle of 2020
- Companies that received these new letters were not revealed to the media in August/September of 2020, so only the original threat actor would know these companies
- Radware is confident that the same threat actors that initiated this campaign in 2020 are still active today.
The ransom letter continued: "We asked for 10 bitcoin to be paid at <bitcoin address> to avoid getting your whole network DDoSed. It’s a long time overdue and we did not receive payment. Why? What is wrong? Do you think you can mitigate our attacks? Do you think that it was a prank or that we will just give up? In any case, you are wrong.”
When the DDoS extortion campaign started in August of 2020, a single Bitcoin was worth approximately $10,000. At the time of publication of this alert, it is worth approximately $30,000. This was cited by attackers in this latest round of ransom letters and is representative of the impact the rising price of Bitcoin is having on the threat landscape.
"We can easily shut you down completely, but considering your company size, it would probably cost you more one day without the Internet then what we are asking so we calculated and decided to try peacefully again. And we are not doing this for cyber vandalism, but to make money, so we are trying to be make it easier for both," the letter said. "We will be kind and will not increase your fee. Actually, since the Bitcoin price went up for over 100% since the last time we will temporarily decrease the fee to 5 BTC! Temporarily. Yes, pay us 5 BTC and we are gone!"
"You can pay us to the same address we gave you last time or if you need a new one for any reason (privacy, because you have probably forwarded our first email to law enforcement): <new bitcoin address>." The message concludes with: “Remember, we never give up. And we always come back, until we are paid. Once paid we are gone and you will never hear from us again - forever."
A few hours after receiving the letter, the organizations were hit by DDoS attacks that exceeded 200Gbps and lasted over nine hours without slowdown or interruption. A maximum attack was 237Gbps was reaching with a total duration of nearly 10 hours, and the attack vendors used match the original attacks, mainly consisting of UDP fragments, UDP Port 80 and DNS traffic.
According to Radware, there are three reasons for concern:
1. Ransom DDoS or DDoS extortion campaigns have traditionally been a seasonal event. They would run annually for a few weeks targeting specific industries/companies before the threat actor(s) would typically give up. The 2020/2021 global ransom DDoS campaign represents a strategic shift from these tactics. DDoS extortion has now become an integral part of the threat landscape for organizations across nearly every industry since the middle of 2020.
2. The threat actors are circling back to previous targets. If your organization received a letter before, there is a high chance you will receive a new letter.
3. The perseverance, size and duration of the attack makes us believe that this group has either been successful in receiving payments or they have extensive financial resources to continue their attacks.
For recommendations and mitigation strategies, please continue reading the Radware cyber alert.