Radware reported that customers initially hit with DDoS ransom demands received new DDoS extortion letters threatening them with DDoS attacks if they failed to pay up.
The cybersecurity firm believes the new demands were fueled by the Bitcoin price increase that tripped since the initial DDoS threats. The attackers threatened the victims with crippling DDoS attacks if they failed to pay between 5 and 10 Bitcoins valued at about $150,000 to $300,000.
According to Radware, the companies received the new ransom demands in Dec 2020 and Jan. 2021, while the initial threats were issued in August and September 2020, when the Bitcoin price was about $10,000.
The threat intelligence firm added the threat actors impersonated the most notorious ransomware operators to make their threats more credible. Radware reported that most clients who refused to pay were hit with intense DDoS attacks, more than 200 Gigabits per second.
DDoS extortion threat actors blamed for multiple attacks in the past
The DDoS extortion letters were associated with groups responsible for a wave of DDoS attacks on OTP Bank, Magyar Telecom, MoneyGram, YesBank, Braintree, and Venmo. However, the New Zealand Exchange DDoS attack was among the most intense, shutting down the organization for four days and causing undisclosed financial losses.
Despite their previous successes, the groups posed as the renowned threat actors including Fancy Bear, Lazarus Group, and the Armada Collective. Other emails had the display name Kadyrovtsy, a Chechen nationalist paramilitary force, according to Black Lotus Labs.
However, cybersecurity experts believe that the groups were mere copycats of the named threat actors.
Radware believed the affected customers either ignored the initial ransom demands or were only known to the threat actors but unknown to the media.
DDoS extortion groups fulfill their cyber-attack threats
Pascal Geenens, the threat intelligence director at Radware, noted that 80% or four out of five Radware customers who received the DDoS extortion letters experienced distributed denial of service (DDoS) attacks.
The most intense attack lasted 10 hours at a record speed of 237 gigabits per second. Geenens added that the targeted Radware clients weathered the DDoS attacks by rerouting their traffic to Radware scrubbing center.
Bitcoin price surge responsible for the new wave of DDoS extortion attempts
Geenens believes that the threat actors were incentivized by the Bitcoin price surge that has more than tripled since the last campaign. He suggested that the attackers hoped to cash in while the Bitcoin price was still high.
He also noted that the threat actors attempted to present themselves as reasonable people trying to save the companies from making colossal losses from shutting down.
Instead, they offer a more reasonable offer, less costly than the financial losses incurred from DDoS internet shutdown.
“We can easily shut you down completely, but considering your company size, it would probably cost you more one day without the Internet then what we are asking so we calculated and decided to try peacefully again,” the DDoS extortion letters read. “And we are not doing this for cyber vandalism, but to make money, so we are trying to be make (sic) it easier for both.”
Moreover, the Bitcoin price surge also forced the threat actors to lower their demands by sometimes asking for five instead of ten Bitcoins. This is because high Bitcoin price made it impossible for some companies to pay.
The cybercrime gangs promised to remain persistent until their ransom demands were met, while also promising to stay away after payment.
However, there’s no guarantee that they would keep their word. Additionally, paying the ransom could attract other threat actors’ attention, making the ransom-paying businesses more prone to DDoS extortions.
Similarly, it encourages the groups to target other businesses, making DDoS extortion a common practice. In addition to the Bitcoin price surge, these circumstances make it more unlikely for companies to pay the ransom.
James McQuiggan, a security awareness advocate at KnowBe4, believes that surrendering to cybercriminals’ DDoS extortion attempts exacerbates the situation.
“In this situation, the cybercriminals realize that once an organization has paid up in previous instances, they can demand money again.”
He added that “cybercriminals always go where the money is and can be repeat customers.” In this case, however, the cybercriminals are exploiting a business and not patronizing it, according to McQuiggan.
“Technology is available to reduce the risk and protect against DDoS attacks. It’s important to incorporate this with the same advice given for ransomware attacks: do not pay the cybercriminals. It further supports their endeavors and can mean repeated visits by them after paying them off.”