IT disaster recovery, cloud computing and information security news

Daisy

New global ransom DDOS campaign targets organizations in finance, travel, and e-commerce

Since the middle of August, Radware has been tracking several extortion requests from threat actors. Letters are being delivered via email and typically contain victim-specific data such as Autonomous System Numbers (ASN) or IP addresses of servers or services they will target if demands are not fulfilled. It is a global campaign with threats reported from organizations in finance, travel and e-commerce in APAC, EMEA and North America.

The ransom fee is initially set at 10 BTC, which is equivalent to approximately $113,000. Some fees are set as high as 20 BTC (approximately $226,000).

Ransom letters threaten cyber attacks of over 2Tbps if payment is not made. To prove the letter is not a hoax, authors indicate when they will launch a demonstration attack.

The letter indicates that if payment is not made prior to the deadline, the attack will continue and the fee will increase by 10 BTC (approximately $113,000) for each missed deadline. Each letter contains a Bitcoin wallet address for payment. The wallet address is unique for each target and allows the actor to track payments.

Radware has evidence of malicious actors following up on their initial demand. In follow up messages, threat actors underscore that the unique Bitcoin address from the initial letter is still empty and reiterate the seriousness of the threat. They also provide keywords and organization names so the target organization can search for recent DDoS disruptions, followed by the rhetorical question "You don't want to be like them, do you?"

The threat actors state they prefer payment over attack and allow the target to reconsider paying. The threat actor will often extend the deadline by one day.

In many cases the ransom threat Is followed by cyber attacks ranging from 50Gbps to 200Gbps. The attack vectors include UDP and UDP-Frag floods, some leveraging WS-Discovery amplification, combined with TCP SYN, TCP out-of-state, and ICMP Floods.

Threats should be taken seriously says Radware, as letters are often followed by DDoS attacks.

More details (PDF).



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.