What is RdoS?

In Ransom Denial of Service attacks, cybercriminals send an email to the organisations they wish to target threatening to launch destructive DoS or DDoS attacks, in order to degrade networks and block access to systems, if a ransom is not paid. To make the threat more credible, cybercriminals typically launch a limited attack prior to the payment deadline, in order to pressure organisations into paying the ransom to prevent more destructive attacks from occurring. If the target fails to pay the ransom within the given deadline, cybercriminals typically launch DoS attacks that can last hours, days or even weeks, effectively impairing organisations’ productivity and ability to conduct business, in addition to causing serious reputational damage to the institution. In most cases, the ransom amount increases once the attack starts, and proceeds to increase every day that the victim refuses to pay. It has been observed that threat actors will often pretend to be infamous hacker groups that have close ties to, or are sponsored by, nation-states. The tactic of posing as instantly recognisable cyber group allows cybercriminals to instil more fear and pressure in the target organisation, increasing the chance that a ransom payment will be made. The preferred category of target for this type of attack are organisations that will incur in significant financial losses should their resources and systems be unavailable for even a short period of time.

Global RDoS campaigns

RDoS attacks are not a new weapon for cybercriminals, as this type of malicious activity has been observed since 2016, with two campaigns witnessed in 2017 and 2019. One of the most prolific RDoS campaigns commenced in August 2020, when cybercriminals were observed targeting organisations across the world, particularly in the financial, e-commerce, retail and travel sectors. The campaign involved a threat actor posing as different Advanced Persistent Threat actors including Fancy Bear, the Armada Collective, Lazarus Group and Cozy Bear, sending emails warning institutions that their network will suffer a DDoS attack, should a ransom not be paid within a week. The letter asked the targets for 10 to 20 Bitcoins (equivalent to $113,000-230,000 in 2020) to prevent the attack from occurring, and an additional 10 Bitcoin each day that the ransom is not paid once the attack commences. The spate of attacks led the FBI to issue an alert, labelling the campaign as a serious threat. According to the FBI however, a number of institutions that refused to pay the ransom were not targeted by attacks after the payment deadline. New Zealand’s Stock Exchange did suffer a DDoS attack after not paying the ransom, which impacted the institution’s network connectivity resulting in the halting of the cash markets trading. The ransom email sent to New Zealand’s Stock Exchange claimed to be from the infamous hacker group Fancy Bear. The 2020 campaign ransom note was revealed as being nearly identical to the ransom note used during the 2017 and 2019 campaigns, suggesting the same threat actor was possibly behind all three campaigns.

Following the high levels of activity witnessed in August 2020, the RDoS campaign slowed down in September, only to pick up the pace again in October 2020. One of the victims in October was the British foreign exchange company Travelex, which was threatened with a DDoS attack, unless it paid 20 BTC to the threat actor posing as the Lazarus Group. After receiving the extortion note, Travelex suffered a volumetric attack on a custom port of four IP addresses serving the company’s subdomain.

In 2021, the threat actor reappeared on the cybercrime scene, after disappearing for over a year, using the name Fancy Lazarus, a combination of the two popular cyber group names Fancy Bear and Lazarus. Similarly, to the previous campaigns, the threat actor sent ominous emails to its targets, many of which were said to be institutions that did not pay the ransom in previous campaigns. The targeted organisation were mainly US-based or global institutions, operating in the energy, financial, insurance, manufacturing, public utilities and retail sector. The ransom note sent to these targets shared the same body content as notes from previous campaigns, with the main notable difference being the price of the ransom. As a matter of fact, from the initial 10-20 BTC demanded in 2020, the threat actor was seen to have adjusted the price to account for the fluctuating value of Bitcoin, asking for 2 BTC in 2021 as a starting ransom ($75,000 in 2021). In October 2021, the UK telecommunications sectors disclosed that a number of its VoIP members had been hit by a string of RDoS attacks. Providers, including Voipfone, VoIP, Unlimited and VoIP.ms, claimed to have received the ransom notes from the extortionist group, with some institutions experiencing DDoS attacks following the threat. These attacks resulted in disruption to the companies’ infrastructure and to the telephone and messaging services for several days; in particular, the critical infrastructure of UK entities was impacted including the police, the NHS and public services. Similarly, Bandwidth.com, an upstream provider for VoIP companies, was targeted by the extortion campaign and incurred losses between $9 and 12 million because of service downtime, following the DDoS attack from the threat group.

In October 2021, email providers also attracted the attention of RDoS attackers. Over nine email service providers, including Runbox, Posteo, Fastmail, TheXYZ, Guerilla Mail, Mailfence, Kolab Now and RiseUp came under DDoS fire after receiving a ransom note giving them 3 days to pay 0.06 BTC (around $4,000). In this case the ransom notes were signed by a different threat actor, going by the name Cursed Patriarch.

To pay or not to pay?

Both FBI and cybersecurity firms advised targeted organisations not to pay the ransom, especially since there is no assurance the threat group will honour the terms set by themselves, and not launch an attack. As pointed out by the FBI, paying the ransom might also lead other extortionist groups to threaten the same targets hoping to receive a ransom payment as well. In addition, paying cybercriminals only funds their future malicious activities, allowing them to refine their capabilities and engage in even more destructive campaigns.

RDoS attacks are expected to grow as a threat and to continue impacting organisations for the foreseeable future. This is the case as even less experienced and less technologically capable threat actors can launch profitable attacks, without the need to gain privileged access like in the case of more complex attack, such as ransomware attacks.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference List

https://www.actionfraud.police.uk/news/online-extortion-demands-affecting-businesses

https://www.bbc.co.uk/news/53918580

https://www.bleepingcomputer.com/news/security/fbi-thousands-of-orgs-targeted-by-rdos-extortion-campaign/

https://www.computerweekly.com/news/450423857/Ransom-DDoS-attacks-on-the-rise

https://www.cybertalk.org/2022/03/04/the-definitive-guide-to-ransom-denial-of-service/

https://www.techrepublic.com/article/ransomware-campaign-threatens-organizations-with-ddos-attacks/

https://therecord.media/bandwidth-com-expects-to-lose-up-to-12m-following-ddos-extortion-attempt/

https://therecord.media/industry-group-warns-of-coordinated-ddos-extortion-campaign-against-voip-providers/

https://therecord.media/ddos-attacks-hit-multiple-email-providers/

https://threatpost.com/fancy-lazarus-cyberattackers-ransom-ddos/166811/

https://threatpost.com/travelex-ddos-extortion-campaign/160110/

https://threatpost.com/cybercriminals-impersonate-russian-apt-fancy-bear-to-launch-ddos-attacks/149578/

https://www.zdnet.com/article/anz-new-zealand-back-online-after-outage-from-ddos-attack/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.