An infamous cyber extortionist is back and is looking for your unprotected assets.
The warning comes from cybersecurity and application delivery solutions provider Radware. This week they published a cybersecurity alert warning that Fancy Lazarus, a distributed denial of service (DDoS) extortionist, has returned with a new campaign.
It was just a few months back that someone using the monikers Fancy Bear and Lazarus Group unleashed a Ransom DDoS campaign focused on finance, travel and e-commerce organizations. It was one of the most successful DDoS extortion campaigns on record.
Radware reported an increase in emergency onboardings from new customers reporting DDoS ransomware threats. They have been watching a rise in activity from Fancy Lazarus who is seeking organizations without adequate protection that it invites to pay now or experience a DDoS attack later.
Accompanying letters typically give victims one week to buy Bitcoin and pay the ransom, which seemingly varies based on the victim’s reputation and size. That tab grows with every day that passes.
Fancy Lazarus is asking for less this time than was requested in the last campaign, where between 10 and 20 bitcoin was the demand. This time around the grab is between half a bitcoin and five.
“This is the first time we are seeing the bad actors selectively target organizations and favor those with unprotected assets for their ransom letters,” said Pascal Geenens, director of Threat Intelligence for Radware. “This implies malicious actors are leveraging Border Gateway Protocol routing information to detect whether targets are protected by always-on cloud protection services. In addition, we’re seeing that ransom DDoS, which traditionally was an event limited in time with yearly spikes, is now becoming a persistent threat, and should be considered an integral part of the DDoS threat landscape.”
While most ISPs and CSPs have some protections in place, Fancy Lazarus seems to exploit those with weaknesses around large, globally distributed campaigns which attack their DNS servers or flood their internet links. One way to stop such strategies is to stop them close to the source and deny multiple geographically distributed traffic streams to coalesce. Globally distributed and anycasted protection best protect from these criminals.
“The recent uptick in criminal activity should be a strong reminder to enterprises, ISPs and CSPs of any size and industry to assess the protection of their essential services and internet connections and plan against globally distributed DDoS attacks aimed at saturating links,” Geenens explained. “This is especially in the case of service providers and their DNS services. We believe hybrid DDoS solutions provide the best of both worlds with on-premises protection against all types of DDoS attacks while automatically diverting to a cloud DDoS Service when the attack risks saturating the internet link.”