Edition Zdnet reported that unknown scammers impersonate the Russian-speaking hacking group Fancy Bear and blackmail financial sector organizations, threatening them with DDoS attacks. Also victims of ransomware were companies operating in the entertainment and retail business.
One of the readers told reporters about the blackmailers, and soon this information was confirmed by specialists from Link11 and Radware, which provide services for protection against DDoS attacks. So, Radware expert Daniel Smith (Daniel Smith), said that extortion attacks began last week and were mainly directed against financial institutions.
Interestingly, unlike other similar cases, the threats of hackers are not entirely groundless. Analysts confirm that the group is actually launching multivector DDoS demonstration attacks on companies when it requires a ransom from them. According to Thomas Pohle, a Link11 specialist, such demo attacks use a mixture of various protocols, including DNS, NTP, CLDAP, ARMS, and WS-Discovery.
According to extortion post, which the attackers send to their targets, fake Russian hackers demand to pay 2 bitcoins, which is approximately $ 15,000 at the current rate. Otherwise, if companies do not pay within a week, they are threatened with powerful and long-term DDoS’s. So far, no such subsequent attacks have been recorded.
According to experts, extortionists study and choose their goals in advance. The fact is that, according to Paul, DDoS attacks are not aimed at company sites, but at their internal servers, which usually do not have protection against DDoS attacks and are idle as a result of such "close attention" from criminals.
Researchers note that ransom letters sent by attackers are almost identical to other extortion messages that in 2017 used other scammers posing as Fancy Bear.
Let me remind you that 2015-2017 could generally be called the heyday of extortive DDoS attacks and imitators of famous hack groups. For example, then imitators impersonated the Armada Collective group, as well as such notorious collectives as Anonymous, LulzSec, Hackers New World, Lizard Squad and Fancy Bear.
Ultimately, this activity practically stopped, as the victims of the blackmailers realized that most of the extortionists did not have “firepower” to translate their threats into life and organize real DDoS attacks. Unlike those imitators, the attackers who now pretend to be Fancy Bear seem to have a real botnet at their disposal, although it is not yet clear what it is capable of.