Security researchers are tracking a new distributed denial-of-service (DDoS) extortion activity by threat actor group Fancy Lazarus. The attacks have been primarily targeting US and global organisations from a range of sectors including energy, financial, insurance, manufacturing, public utilities and retail.
The group – which formerly used monikers such as Fancy Bear, Lazarus, Lazarus Group, and Armada Collective, among others – went on hiatus for around a month from April to May 2021 following a campaign of ransom DDoS attacks against global financial institutions and organisations that started in mid-to-late August 2020.
“In each case the threat actor demanded bitcoin payment or else a small-scale denial-of-service attack would be launched with a more substantial attack mere days later,” Proofpoint researchers explained in a blog posting. Now, the group has resurfaced with a new name and changes in its tactics, techniques and procedures (TTPs).
Changes to Fancy Lazarus’s DDoS attack method
These variations indicate the group’s determined effort to evolve their activities, the researchers said. The changes are the ransom pricing – reduced from 10 bitcoin to a starting price of two bitcoin (most likely in recognition of bitcoin’s fluctuating value) – and the wording used in the emails sent to recipients.
“There are three email variants sent to the same recipients conveying the same information, except with the email body in plain text, HTML, or as a JPG image attachment. This is likely an attempt to evade detections,” the researchers wrote.
Previously, the sender would, at times, include the targeted company’s highest-ranking person such as the CEO’s name. In the most current campaign, a random first name, last name format is used and the names appear fictional, researchers said.
“It is interesting that the group is still going back and tweaking the original email, potentially indicating its effectiveness. Between August 2020 and now, however, they have tried completely different text in the emails,” researchers added.
How Fancy Lazarus structures the DDoS attacks
The emails begin with an announcement of the name the group is now using and acknowledge that the victim organisation has been specifically targeted. The email urges the target to perform a Google search as proof of the group’s “previous work” and recent high-profile victims such as the New Zealand Stock Exchange. “You don’t want to be like them, do you?” the email asks.
The email then outlines, in detail, the process by which the attack will take place, stating that the recipient’s network will be subject to a DDoS attack in seven days that can only be avoided by paying a fee of two bitcoin by the stated deadline.
To prove their seriousness, the attackers claim they will begin a small attack on a “few random IPS” that will last for around two hours. “It will not be a heavy attack, and will not cause you any damage,” the email continues.
When it comes to the full-scale assault, the group claims there is no counter-measure due to the power of the attack, which they state will peak at over two Tbps.
“This means your websites and other connected services will be unavailable for everyone,” the email reads. “If you don’t pay the attack will start and the fee to stop will increase to four bitcoin and will increase by one bitcoin for each day after the deadline that passed without payment.”
The growth of ransom DDoS attacks
Speaking to CSO, Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, explains that, while ransom DDoS attacks are not a recent development, the growing adoption of cryptocurrency is significantly driving a surge in the amount of ransom DDoS attacks taking place.
“More recently, there was an uptick in ransom DDoS activity starting last year with the activity coming from this group. Since August 2020, when we first began tracking this activity, Proofpoint researchers have seen about 180 customers spanning a multitude of diverse and unrelated verticals sent these extortion emails. About 59 of those were seen in the first month.”
Ransom DDoS attacks are also becoming increasingly effective, DeGrippo adds, particularly against organisations that lack web application firewalls or upstream service providers that can effectively filter DDoS traffic from legitimate traffic.
“Threat actors are always looking for the most efficient means of getting what they want, in this case a financial payoff,” she adds. “DDoS attacks have become increasingly easier to launch and have a potentially substantial payoff for considerably less work than something like a ransomware attack would require. Additionally, by conducting this type of attack, the threat actor bypasses automated security protections that would flag and block ransomware.”
Regarding the legitimacy of the group’ claims that their assault will peak over two Tbps, DeGrippo admits that, without full visibility into the attacks, it is difficult to validate for certain.
However, “based on FBI reports and information sharing groups, some attacks have reportedly reached approximately two Tbps,” she says. It is also worth noting however that FBI reporting has indicated that many affected companies that have passed the threatened deadline have either not seen any additional activity or the activity has been successfully mitigated.
Regardless, organisations should be prepared for such attacks by having appropriate mitigations in place, DeGrippo concludes. “This includes using a DoS protection service and having disaster recovery plans at the ready. Good response falls into good technology and partnerships to help filter DDoS traffic when under attack. Organisations must have a plan in place for what to do in these scenarios before they happen.”