A DDoS gang is extorting businesses posing as Russian government hackers

Exclusive: Fake "Fancy Bear" group is demanding money from companies in the financial sector, threatening DDoS attacks.
Written by Catalin Cimpanu, Contributor
Fancy Bear logo

For the past week, a group of criminals has been launching DDoS attacks against companies in the financial sector and demanding ransom payments while posing as "Fancy Bear," the infamous hacking group associated with the Russian government, known for hacking the White House in 2014 and the DNC in 2016.

The attacks, brought to ZDNet's attention by one of our readers, were confirmed today by Link11 and Radware, two companies that provide DDoS mitigation services and have documented similar "ransom denial-of-service" (RDOS) attacks in the past years. A Group-IB, a third company, which provides cyber-security services to the financial sector, also confirmed the attacks.

In an interview with ZDNet, Daniel Smith, Radware ERT researcher, said the attacks started last week and targeted the financial vertical.

Smith said "the group is launching large scale, multi-vector demo DDoS attacks when sending victims the ransom letter."

A Link11 spokesperson said the same thing, adding that the purpose of these demo attacks is to serve as an initial warning and intimidation factor, to convince victims into paying the ransom demand.

According to a copy of the ransom letter [PDF] the group is sending victims, the fake Fancy Bear group is asking for payments of 2 bitcoin, which is about $15,000 at today's exchange rate.

Image via Link11

Link11's Thomas Pohle said these demo attacks are a mixture of different protocols, such as DNS, NTP, CLDAP, ARMS, and WS-Discovery.

A Group-IB spokesperson told ZDNet in an email that most of the victims were located in Singapore, South Africa, and in some Scandinavian countries.

Furthermore, the extortionists appear to study and choose their targets in advance. Pohle said the DDoS attacks don't target companies' public website, but at their backend servers, which aren't usually protected by DDoS mitigation systems and cause downtimes -- and possibly intimidating victims.

In addition, Pohle said that beyond the financial vertical, they've also seen some DDoS ransom attacks aimed at companies in the entertainment and retail business.

"The victims are threatened with a follow-up DDoS attack if they do not make a payment in bitcoin within a week," Radware's Smith told ZDNet. "At the moment, no follow-up attacks have been observed."

Revival of a 2017 trend?

Smith also said the ransom letter used this past week is nearly identical to one used in 2017 by another DDoS ransom gang that also posed as Russia's Fancy Bear group.

In fact, 2017 has been the year when DDoS-based ransom demands reached their peak, with dozens of groups operating all at the same time.

Some DDoS extortionists were seen posing as almost any widely-known hacking group known at the time, such as Anonymous, LulzSec, Armada Collective, New World Hackers, Lizard Squad, and Fancy Bear.

Other groups didn't bother imitating better known hacking groups and tried making a name for themselves, such as Kadyrovtsy, RedDoor, ezBTC, Borya Collective, Stealth Ravens, XMR Squad, ZZb00t, Meridian Collective, Xball Team, and Collective Amadeus.

It was a free-for-all for almost the entire year, but attacks subsided as victims learned that many extortionists did not have the firepower to follow through with actual DDoS attacks.

But unlike its 2017 predecessors, this new Fancy Bear copycat that emerged last week at least appears to own an actual DDoS botnet.

However, it is worth mentioning that they are not the real Fancy Bear group. Russia's elite cyber-espionage and hacking unit have never been seen launching DDoS attacks. Their targets usually include embassies, NATO bases, US political parties, and government agencies.

Any company receiving such email threats should report the incident to law enforcement officials.

Updated on October 25 with information from Group-IB confirming the extortion attempts from a third-source. Updated again on October 26 to add that the extortionist group has switched to using the Cozy Bear name instead of Fancy Bear after the publication of this article exposed their fraudulent extortion and ransom demands.

The FBI's most wanted cybercriminals

Editorial standards