Aggressive DDoS blackmailer from Fancy Bear are active again

DDoS blackmailer from Fancy Bear

Companies have received blackmail mails on behalf of "Fancy Bear" since 12 August. The perpetrators demand 15 Bitcoins with the subject "DDoS attacks on your network", which correspond to a value of about 150,000 Euros as of 19 August. According to observations from the Link11 Security Operations Center (LSOC), the extortion is directed against companies from various industries. Operators of critical infrastructures are increasingly taking the spotlight. This is in line with the assessment of the World Economic Forum (WEF), which in its Global Risk Report 2020, rates cyber attacks on operators of critical infrastructures as a global top 5 risk and describes new normality.

How does a DDoS attack affect service for clients

The DDoS extortionists, who claim to be "Fancy Bear," put pressure on companies to get hold of Bitcoins in October 2019 with DDoS attacks. The extortion letters submitted to the LSOC last autumn and the current wave are largely identical in the text. The Bitcoin addresses differ so that the attackers can check who paid. The companies attacked currently have seven to four days to transfer the Bitcoins.

The blackmailers announce and carry out warning attacks to underline the seriousness of their demands. The attacks are characterized by very high bandwidths and long-lasting, high intensity. According to the attackers, these should only provide a foretaste. In the event that the ransom demands are not met, they threaten with attacks of over 2,000 Gbps.

Can a DoS attack be unintentional

Attacks that the LSOC successfully repelled for KRITIS operators reached several hundred Gbps and lasted for several hours. The attacks were based on UPD floods, TCP floods and SYN floods. To increase the attack volume, the perpetrators used the reflection amplification vectors DNS, Apple Remote Control and WS-Discovery.

In view of the very aggressive behaviour of the perpetrators, the LSOC recommends that the blackmail be taken seriously. As soon as they receive a blackmailer, companies should proactively activate their DDoS protection systems. If the protection solution is not designed to be scalable for volume attacks of several hundred Gbps and beyond, it is important to find out how the company-specific protection bandwidth can be increased at short notice and manifested using SLA.

In addition, the LSOC advises the attacked companies not to deal with the extortion and instead to file a complaint with the law enforcement authorities. The Alliance for Cybersecurity offers an overview of the respective contact persons for cybercrime in the individual federal states.