Travelex, Other Orgs Face DDoS Threats as Extortion Campaign Rages On

  • Corporations globally – which includes Travelex – have been sent letters threatening to launch DDoS attacks on their network except if a $230K ransom is paid out.

    Businesses globally have continued to acquire extortion e-mails threatening to start a distributed denial-of-provider (DDoS) attack on their network, except if they shell out up – with British overseas-exchange enterprise Travelex reportedly becoming 1 modern higher-profile danger recipient.

    Scientists explained that considering the fact that mid-August, numerous organizations have been sent e-mails that warn that their business network will be hit by a DDoS attack in about a week. The preliminary ransom demand from customers is set at 20 BTC – which interprets to about $230,000 at the time of creating – and cybercriminals threaten to enhance that ransom by 10 BTC for every working day not paid, stated researchers.

    Whilst a superior degree of activity was to start with tracked in August, that exercise then slowed down in the to start with 50 percent of September – only to “grow significantly” in the stop of September and starting of Oct, Radware researchers explained to Threatpost.

    Travelex (which has undergone its truthful share of security woes above the past yr, starting up with a New Year’s ransomware attack) was just one such org threatened with a DDoS attack, except it compensated 20 bitcoins (BTC), Intel471 researchers reported on Tuesday. A bitcoin wallet tackle in the email demonstrates that Travelex did not pay out the attackers at any level, they reported.

    “Following the extortion email, the menace actor executed a volumetric attack on a personalized port of four IP addresses serving the company’s subdomains,” according to Intel471 researchers. “Two times later on, the attackers carried out an additional DNS amplification attack from Travelex utilizing Google DNS servers.”

    Threatpost has achieved out to Travelex for more comment on the DDoS extortion menace.

    Ongoing DDoS Extortion Threats

    Although the ransom DDoS campaign has been ongoing given that August and has obtained widespread protection, researchers with Radware mentioned in a Wednesday article that they are continuing to see companies worldwide obtain the extortion e-mail – and that attackers are becoming much more advanced.

    “There is no way to converse with the blackmailers, so there is no choice to negotiate and the only way to get a message by means of is by sending BTC to the bitcoin address pointed out in the letter,” researchers claimed.

    The extortion e-mails declare that the menace group has now launched a little DDoS attack on the victim’s IPs (of the ASN quantity pointed out in the letter) to give the threat legitimacy. The attackers also declare that they have the means to complete volumetric assaults that peak at 2Tbps – almost reaching the concentrations of the 2.3Tbps attack concentrating on an Amazon Web Expert services customer in February that was the premier volumetric DDoS attack on record.

    “These threats are not hoaxes, and the actors have adopted up with assaults,” Pascal Geenens, director of risk intelligence at Radware, explained to Threatpost. “While we have not observed the 2TBps attack threatened in the letter bundled the report, corporations have seen attacks ranging up to 300GBps and combining several attack vectors. These assaults can be devastating for numerous corporations.”

    A sample DDoS ransom letter. Credit: Radware

    Of observe, the extortion threats were sent to generic email addresses in the firms, which did not always attain the ideal person in the firm – and have been even from time to time been given by subsidiaries of providers in the mistaken nation. Even so, while before iterations of the ransom notice were elementary, researchers noticed the danger actor increasing their sophistication.

    “The letters have been improved considering that the start off of the marketing campaign by repairing some typos, rephrasing some actions for much better clarity, and press coverage of previously DDoS attacks that impacted economic companies has been included to instill extra worry,” claimed scientists.

    The menace actor purports to be many APTs, posing as Fancy Bear, Armada Collective and Lazarus Group. The actors appear to have a preference of APT dependent on the vertical they are making an attempt to encourage to shell out a ransom: The cybercriminals purport to be Lazarus Team when targeting financial companies, (this sort of as in Travelex’s scenario, for occasion), while they pretend to be Extravagant Bear when focusing on technology and producing orgs.

    Even so, researchers pointed to discrepencies that show that the risk actors are simply posing as these APTs as opposed to being the true offer: “Based on what we know about the conventional tactics, procedures and strategies of these APT groups, the threat activity that we are observing does not match up,” Geenens advised Threatpost. “Attribution is mostly guesswork, and it is extremely hard to make an complete statement a single way or one more. Even if an APT team have been to admit to these threats, it would be not possible to ensure whether or not they are even telling the reality.”

    It is truly worth noting that these ransom threats are nothing new. In 2019, cybercriminals posing as Extravagant Bear released DDoS attacks towards companies in the economic sector and demanded ransom payments. And back in 2016, a team (who also called on their own the Armada Collective) sent extortion e-mail to many on line companies threatening to start DDoS assaults if they weren’t paid in Bitcoin. All the way back in 2015, the FBI explained that it was observing an maximize in the range of organizations getting qualified by scammers threatening to launch DDoS attacks if they really do not pay a ransom.

    In their ransom letters, attackers claim there are no counter-steps to guard from their assaults. Researchers mentioned this isn’t the scenario, and suggested businesses to not pay back the ransom demand: “There is no warranty blackmailers will honor the terms of their letter,” they mentioned. “Paying only resources future operations, enables them to make improvements to their capabilities and motivates them to keep on the marketing campaign.”