A Three-Episode DDoS Ransom Attack Prologue

This post is also available in: French German Italian Portuguese (Brazil) Spanish Russian

DDoS attacks are becoming a part of ransom attacks. Instead of infiltrating secure organizational assets, attackers are launching devastating DDoS attacks to demonstrate their capabilities and demand ransom money. Understanding the ransom DDoS threat is essential to building an effective mitigation plan.

Our story begins in August of 2020, and continues for over a year with three episodes. Here they are:

Episode I

In August 2020, we witnessed the first wave of cyber extortion attacks, where the ‘Lazarus group’ was targeting finance, travel and e-commerce organizations by sending them a ransom email, requesting companies to pay 10 bitcoins (which was about $100,000). A few hours after receiving the message, organizations were hit by DDoS attacks exceeding 200Gbps lasting over nine hours, causing severe service disruption.

In their letters (see below), the extortionists gave their victims seven days to buy the bitcoin and pay the ransom before deploying their DDoS attacks.  However every day of delay increased the ransom by 1 bitcoin.

Fancy Lazarus extortion letter
Sample image of a letter Fancy Lazarus sent to its targets.

[Like this post? Subscribe now to get the latest Radware content in your inbox weekly plus exclusive access to Radware’s Premium Content. ]

Episode II

In January 2021 we saw a second extortion wave. The cyber criminals sent new extortion emails stating, “Maybe you forgot us, but we didn’t forget you. We were busy working on more profitable projects, but now we are back.” This time they asked for 5 bitcoin, (Bitcoin value exceeded $30,000).

The lesson is clear, do not pay the ransom! If you do pay, you will be targeted again and again… and so it continues.

Episode III

Starting June 2021, a new wave of cyber extortion campaigns began targeting all sectors, starting with Danish and Irish ISPs and CSPs. The group modified its name to ‘Fancy Lazarus’. The ransom was much smaller and varying by victim between ₿0.5 (US$18,500), ₿2 (US$75,000) and ₿5 (US$185,000) – they adapted the ransom demand to the company size – subsequent attacks were up to 200Gbps.

As DDoS attacks have evolved, we have seen new tactics where the attackers were hunting for unprotected assets, including public cloud assets, attacking DNS services and saturating links. This  demonstrates that the attackers were getting ready in advance by learning their victims’ weak spots.

Reports from victims impacted by follow-through attacks of this extortion campaign confirm that most were relying on their ISP or CSP to defend against DDoS threats. However, they were not prepared for large scale DDoS attacks with varying attack vectors including application DDoS attacks.

Read: Hacker’s Almanac: a field guide to understanding the tactics, techniques and attack vectors used by cybercriminals

Ron Meyran

Ron Meyran leads the marketing activities, partner strategy and Go-to-Market plans for Radware’s alliance and application partners. He also works to develop joint solutions that add value proposition and help drive sales initiatives – designed to increase visibility and lead generation. Mr. Meyran is a security and SDN industry expert who represents Radware at various industry events and training sessions. His thought leadership and opinion pieces have been widely published in leading IT & security industry magazines and he holds a B.Sc. degree in Electrical Engineering from Ben-Gurion University and a MBA from Tel Aviv University.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center