Recently, a new wave of attacks based around a unique form of misdirection has focused on digital extortion. In October of 2020, security firm Radware published extortion messages sent to companies around the world. In the messages, hackers known as the “Armada Collective” pretend to be from either the North Korean government hacking group Lazarus, also known as APT38, or the Russian state-backed hackers Fancy Bear, or APT28.
The message threatens a powerful distributed denial of service attack against the victims if they fail to pay thousands of dollars worth of Bitcoin. This type of extortion, which entails a preemptive payment to prevent an online attack, has resurfaced repeatedly over the last decade. But starting in the Summer of 2020, criminals have attempted to leverage fear regarding high-profile nation-state attacks to try to make money.
“Like a good salesperson, they follow up on the first message to convince the victim to pay before actually going to the trouble of executing an attack,” says Pascal Geenens, director of threat intelligence at Radware. “Of course, these criminals would prefer the easy money and not having to go through the process of running an attack. However, if the threat actors want to keep their campaign credible, not attacking is not an option.”
According to Radware, the hackers tended to pose as Lazarus Group when attempting to extort money from financial entities and as Fancy Bear when threatening tech or manufacturing firms.
One example saw hackers that pretended to be Lazarus Group send an extortion message to Travelex in late August of 2020. The attackers wanted 20 bitcoin and said that the ransom would go up by 10 bitcoin for every day that passed after the initial deadline.
Travelex didn’t pay the ransom and weathered the DDoS attack that the hackers launched. Ironically enough, extortion DDoS attacks have never been especially profitable for hackers because they lack the urgency of ransomware, which sees the target desperate to restore access.
“Generally speaking, DDoS as an extortion method isn’t as profitable as other types of digital extortion,” according to Robert McArdle, director of threat research at Trend Micro. “It’s a threat to do something as opposed to the threat that you’ve already done it. It’s like saying, ‘I might burn your house down next week.’ It’s a lot different when the house is on fire in front of you.”
While these kinds of attacks may not be as crippling for most victims as ransomware, they still pose a threat to organizations that don’t have the proper defenses in place. And with so many online threats to think about, it’s easy to see how scare tactics could work often enough to make it a viable scheme for criminals.
If you are still having trouble, consider contacting remote technical support options.