Since the second half of 2020, Lumen Black Lotus Labs® has observed an unsettling number of entities receiving emails containing a threat of sustained DDoS attack unless a Bitcoin ransom was paid. These attacks – known as Ransom Distributed Denial of Service (RDDoS) – could not have come at a worse time, as many businesses have become entirely dependent on their internet connectivity to comply with COVID-19 restrictions imposed for safety or compliance with local law.
Quick Overview Of Ransom DDoS; What It Is And What It Is Not
An RDDoS attack is a mechanism for cybercriminals to extort funds from a legitimate business by threatening to perform impactful DDoS attacks against them if they do not pay a ransom. One important factor that distinguishes RDDoS from other attacks such as ransomware is that an actor does not need to have privileged access to any systems in order to perform the attack. RDDoS attackers aim to exhaust all available resources of easily accessible networks, infrastructure or applications which, in turn, renders that service unavailable to legitimate users. These types of attacks can impair a business’s ability to operate and cause reputational harm if they are not addressed in a timely manner.
Black Lotus Labs has observed this type of activity before, dating as far back as 2016. The campaigns that transpired in 2020, however, were greater in number and duration. In addition, many groups in the past never actually performed any DDoS attacks at all. In contrast with these previously hollow threats, today’s group of cybercriminals often perform a limited attack in order to prove their capability and malicious intent. These attacks have ranged from fifteen minutes to two hours and have typically been focused on organizations’ DNS servers or public websites. Once the attack is completed, the actor sends the malicious email and demands payment via Bitcoin to an actor-controlled wallet.
RDDoS Attack Case Studies: Armada Collective, Lazarus Group And Cozy Bear
The most prominent threat actor in the RDDoS space is an unnamed cybercrime group that claims to be well-established entities such as “Fancy Bear,” the “Armada Collective,” and “Lazarus Group.” More recently, they began incorporating the moniker “Cozy Bear.” Thus far, Black Lotus Labs has not observed any overlap between RDDoS activities and known APT activities, such as those associated with Fancy Bear, Cozy Bear, or the Lazarus Group.
The group behind this campaign garnered widespread notoriety when they started sending a wave of ominous emails around early August 2020. Some snippets from the ransom note can be viewed below, where they purported to be the Armada Collective on Aug. 11. One notable aspect of this message was the high cost of their demand: 5 Bitcoins, which was more than $50,000 based on the exchange rate the day the email was sent.