Fancy Bear DDoS for Ransom

November 12, 2017 02:00 PM

Over the last week, Radware’s Emergency Response Team (ERT) has been tracking an emerging ransom denial-of-service (RDoS) campaign from a group identifying itself as Fancy Bear. The group has been distributing extortion emails to payment processing vendors in multiple locations across the globe.

Download a Copy Now


Over the last week, Radware’s Emergency Response Team (ERT) has been tracking an emerging ransom denial-of-service (RDoS) campaign from a group identifying itself as Fancy Bear. The group has been distributing extortion emails to payment processing vendors in multiple locations across the globe.

Figure 1: Fancy Bear RDoS note


In RDoS attacks, the perpetrators send a letter threatening to attack an organization—rendering its business, operations or capability unavailable—unless a ransom is paid by the deadline. This extortion method has grown in popularity every year since 2010 and typically come in the form of a volumetric distributed denial-of-service (DDoS) attack. However, it is increasingly in vogue to find techniques that are more piercing and more efficient without generating large volumes. The most advanced attacks combine both volumetric and non-volumetric cyber-attack techniques. The success of such cyber-extortion campaigns has led to many copycats that simply distribute emails at all directions hoping to be paid.

At the end of April, a group claiming to be Fancy Bear began sending out extortion attempts. The extortionist behind this campaign attempted to intimidate their victims by using the name of APT28 (Fancy Bear) and an infamous cyber-espionage group. APT28 is believed to be a nation state-level attacker that uses zero-day exploits and spear phishing attacks to spread malware. RDoS attacks were not the typical modus operandi for Fancy Bears’ attacks to date.

However starting in November, Fancy Bear’s name is appearing on extortion letters in this new RDoS campaign. This time, Fancy Bear is requesting between 1-2 bitcoins with the ransom increasing by one bitcoin every day without payment.

What is RDoS

RDoS campaigns are extortion-based distributed denial-of-service attacks motivated by monetary gain. Attacks typically start with a letter or even a Twitter post threatening to launch an attack at a certain day and time unless a ransom is paid. To validate the threat, attackers will often launch a sample attack on the victim's network.

This method was initially introduced by DD4BC and has been replicated by the Armada Collective since 2015. Armada would accompany their ransom notes with a short "demo" attack. Armada Collective's RDoS attacks were methodical and achieved high success rates. Today, many hacker groups imitate this modus operandi and spread similar ransom threats using other group names as a form of intimidation with no intention (or limited capacity) of launching an attack.

Reasons for Concern

In 2016, ransom was the number one motivation behind cyber-attacks; half of organizations were subject to this extortion threat, according to Radware’s 2016-2017 Global Application & Network Security Report. In parallel to the ransomware plague, Radware witnessed an emerging trend of hackers (and copycats) that extort organizations by posing an imminent threat of DDoS attacks. As IoT botnets have become more powerful, Radware has witnessed an increase in the number of RDoS threats that companies have received in 2017.

RDoS campaigns can be financially rewarding to a cyber-criminal who enjoys making large amounts of money for little to no investment. Because of this, many hacking groups now imitate this model and spam similar ransom threats using other group names, with no intention of launching an attack.

Figure 2: Current Fancy Bear extortion email


Currently the group claiming to be Fancy Bear is targeting a limited number of financial services organizations – payment processers under the threat of an attack from the Mirai Botnet. Each letter contains a unique bitcoin address. In the note, Fancy Bear listed the IP address of the victim and targeted them with a sample attack. As of this moment, no follow through attacks have been observed.

Attack Vectors

Most of these DDoS for ransom groups that actually launch attacks are running their own network stressers, however some leverage publicly-available stressers to conduct campaigns. When experiencing a RDoS attack, expect 100+ Gbps and multi-vector attacks simultaneously. The attack is likely to be persistent and last for days. Attack vectors include floods using the following protocols:

  • SSDP
  • NTP
  • DNS
  • UDP
  • SYN Flood
  • SSYN
  • ICMP

Dealing with a Ransom Letter

Companies are advised not to pay an extortionist and seek professional assistance for mitigating RDoS attacks. Such a threat usually provokes the need for a scrubbing service, ACL/BGP reconfiguration, as well as the usual DDoS protection essentials to assure uptime and SLA.

Organizations Under Attack Should Consider

Evaluation – Is It Real or Fake?

Although it is almost impossible to determine whether a ransom note comes from a competent hacking group or an amateur unit, there are several indicators to distinguish between the two.

  • The fake RDoS groups often request a different amount of money than the original
  • "Real" groups prove their competence; fake groups exclude the "demo" attack
  • These groups do not have official websites or target lists
  • When hackers launch real RDoS attacks, they normally target less than a dozen companies under the same industry
  • Look for suspicious indicators. Is this group known for DDoS attacks? In the case of Fancy Bear, they do not launch RDoS attacks.

Effective DDoS Protection Essentials

  • Hybrid DDoS Protection - (On-premise and cloud DDoS protection) for real-time DDoS attack prevention that also addresses high volume attacks and protects from pipe saturation
  • Behavioral-Based Detection - Quickly and accurately identify and block anomalies while allowing legitimate traffic through
  • Real-Time Signature Creation - Promptly protect from unknown threats and zero-day attacks
  • A Cyber-Security Emergency Response Plan - A dedicated emergency team of experts who have experience with Internet of Things security and handling IoT outbreaks

For further DDoS protection measures, Radware urges companies to inspect and patch their network in order to defend against risks and threats.

Under Attack and in Need of Expert Emergency Assistance? Radware Can Help.

Radware offers a DDoS service to help respond to security emergencies, neutralize the risk and better safeguard operations before irreparable damages occur. If you’re under DDoS attack or malware outbreak and in need of emergency assistance, Contact us with the code "Red Button".

Click here to download a copy of the ERT Threat Alert.

Download Now

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center