• United States



UK Editor

New DDoS extortion attacks detected as Fancy Lazarus group returns

News Analysis
Jun 11, 20215 mins

Well-known threat group resurfaces as Fancy Lazarus with a new ransom DDoS campaign targeting multiple sectors.

DDOS attack
Credit: 2AlexD / Getty Images

Security researchers are tracking new DDoS extortion activity by threat actor group Fancy Lazarus. The attacks have been primarily targeting US and global organizations from a range of sectors including energy, financial, insurance, manufacturing, public utilities and retail.

The group—which formerly used monikers such as Fancy Bear, Lazarus, Lazarus Group, and Armada Collective, among others—went on hiatus for around a month from April to May 2021 following a campaign of ransom DDoS attacks against global financial institutions and organizations that started in mid-to-late August 2020. “In each case the threat actor demanded bitcoin payment or else a small-scale denial-of-service attack would be launched with a more substantial attack mere days later,” Proofpoint researchers explained in a blog post. Now, the group has resurfaced with a new name and changes in its tactics, techniques and procedures (TTPs).

Changes to Fancy Lazarus’s DDoS attack method

These variations indicate the group’s determined effort to evolve their activities, the researchers said. The changes are the ransom pricing—reduced from 10 bitcoin to a starting price of 2 bitcoin (most likely in recognition of bitcoin’s fluctuating value)—and the wording used in the emails sent to recipients.

“There are three email variants sent to the same recipients conveying the same information, except with the email body in plain text, HTML, or as a JPG image attachment. This is likely an attempt to evade detections,” the researchers wrote. Previously, the sender would, at times, include the targeted company’s highest-ranking person such as the CEO’s name. In the most current campaign, a random first name, last name format is used and the names appear fictional, researchers said.

“It is interesting that the group is still going back and tweaking the original email, potentially indicating its effectiveness. Between August 2020 and now, however, they have tried completely different text in the emails,” researchers added.

How Fancy Lazarus structures the DDoS attacks

The emails begin with an announcement of the name the group is now using and acknowledge that the victim organization has been specifically targeted. The email urges the target to perform a Google search as proof of the group’s “previous work” and recent high-profile victims such as the New Zealand Stock Exchange. “You don’t want to be like them, do you?” the email asks.

The email then outlines, in detail, the process by which the attack will take place, stating that the recipient’s network will be subject to a DDoS attack in seven days that can only be avoided by paying a fee of 2 bitcoin by the stated deadline. To prove their seriousness, the attackers claim they will begin a small attack on a “few random IPS” that will last for around two hours. “It will not be a heavy attack, and will not cause you any damage,” the email continues.

When it comes to the full-scale assault, the group claims there is no counter-measure due to the power of the attack, which they state will peak at over 2 Tbps. “This means your websites and other connected services will be unavailable for everyone,” the email reads. “If you don’t pay the attack will start and the fee to stop will increase to 4 bitcoin and will increase by 1 bitcoin for each day after the deadline that passed without payment.”

The growth of ransom DDoS attacks

Speaking to CSO, Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, explains that, while ransom DDoS attacks are not a recent development, the growing adoption of cryptocurrency is significantly driving a surge in ransom DDoS attacks.

“More recently, there was an uptick in ransom DDoS activity starting last year with the activity coming from this group. Since August 2020, when we first began tracking this activity, Proofpoint researchers have seen about 180 customers spanning a multitude of diverse and unrelated verticals sent these extortion emails. About 59 of those were seen in the first month.”

Ransom DDoS attacks are also becoming increasingly effective, DeGrippo adds, particularly against organizations that lack web application firewalls or upstream service providers that can effectively filter DDoS traffic from legitimate traffic. “Threat actors are always looking for the most efficient means of getting what they want, in this case a financial payoff,” she adds. “DDoS attacks have become increasingly easier to launch and have a potentially substantial payoff for considerably less work than something like a ransomware attack would require. Additionally, by conducting this type of attack, the threat actor bypasses automated security protections that would flag and block ransomware.”

Regarding the legitimacy of the group’s claims that their assault will peak over 2 Tbps, DeGrippo admits that, without full visibility into the attacks, it is difficult to validate for certain. However, “based on FBI reports and information sharing groups, some attacks have reportedly reached approximately 2 Tbps,” she says. It is also worth noting however that FBI reporting has indicated that many affected companies that have passed the threatened deadline have either not seen any additional activity or the activity has been successfully mitigated.

Regardless, organizations should be prepared for such attacks by having appropriate mitigations in place, DeGrippo concludes. “This includes using a DoS protection service and having disaster recovery plans at the ready. Good response falls into good technology and partnerships to help filter DDoS traffic when under attack. Organizations must have a plan in place for what to do in these scenarios before they happen.”

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past 8 years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author