Akamai Identifies Copycat DDoS Extortion Rings

A group of copycat cybercriminals that appear to be pretending to be affiliated with more notorious threat actors are sending extortion letters threatening distributed denial of service (DDoS) attacks.

According to a report published this week by the Security Intelligence Research Team (SIRT) at Akamai, letters are being sent by threat actors claiming to be part of well-known cybercriminal rings such as Fancy Bear and Armada Collective. However, Steve Ragan, a security researcher for Akamai, said an analysis of the letters suggests the groups sending these letters are attempting to increase fear and dread among their potential victims by citing affiliation with cybercriminals that already have established notorious reputations.

In the extortion demands purporting to be from Armada Collective seen by Akamai, the ransom starts at 5 bitcoin and increases to 10 if the deadline is missed, with a 5-bitcoin increase for each day thereafter. In the letters allegedly from Fancy Bear, the ransom starts at 20 bitcoin, and increases to 30 if the deadline is missed, with 10 bitcoins added each additional day.

The letters are far from idle threats. The individuals threatening to launch DDoS attacks unless their bitcoin ransomware demands are met are capable of launching DDoS attacks, noted Ragan. The letters identify targeted assets at the victim’s organization and promise a small “test” attack to prove the seriousness of the situation.

Akamai is also aware of one 50Gbps attack targeted a customer on Akamai’s network. The traffic consisted of a UDP-based, ARMS protocol reflection attack. The number of reflectors used is unknown at this time. Some of the ransom letters claim to be able to launch 2Tbps attacks.

Regardless, Ragan said Akamai does not advise organizations to pay a ransom; content delivery networks operated by Akamai can mitigate such attacks as part of a cybersecurity playbook.

The number and scope of DDoS attacks have been steadily increasing since at least the beginning of the year. It also appears these attacks are being launched with more frequency as the number of devices that can be compromised by a botnet steadily increases as well. IT teams that don’t have access to distributed networks will find it increasingly difficult to defend against DDoS attacks that can now cripple websites for days at a time. At a time when more organizations are dependent on web applications to generate revenue, cybercriminals are looking to extort money from organizations that could stand to lose more than a few bitcoins.

Of course, caving into those extortion demands is no different than paying to “protect” a storefront from being vandalized or firebombed. Regardless of the medium, extortion is still a racket.

Hopefully, the perpetrators of these schemes will one day experience the full weight of the law. In the meantime, there’s strength in numbers. The larger the network employed, the more feasible it becomes for owners of websites and applications to defend themselves. In some ways, it’s not all that different from shopkeepers banding together to create a neighborhood association to defend their interests.

Featured eBook
Identifying Web Attack Indicators

Identifying Web Attack Indicators

Attackers are always looking for ways into web and mobile applications. The 2019 Verizon Data Breach Investigation Report listed web applications the number ONE vector attackers use when breaching organizations. In this paper, we examine malicious web request patterns for four of the most common web attack methods and show how to gain the context and … Read More