DDoS extortionists target NZX, Moneygram, Braintree, and other financial services

One of the victims, the New Zealand stock exchange (NZX), has halted trading for the third day in a row following the attacks.
Written by Catalin Cimpanu, Contributor

For the past weeks, a criminal gang has launched DDoS attacks against some of the world's biggest financial service providers and demanded Bitcoin payments as extortion fees to stop their attacks.

Just this week, the group has attacked money transfer service MoneyGram, YesBank India, Worldpay, PayPalBraintree, and Venmo, a source involved in the DDoS mitigation field has told ZDNet.

The New Zealand stock exchange (NZX), which halted trading for the third day in a row today, is also one of the group's victims.

The attackers have been identified as the same hacker group mentioned in an Akamai report published on August 17, last week.

The group uses names like Armada Collective and Fancy Bear — both borrowed from more famous hacker groups — to email companies and threaten DDoS attacks that can cripple operations and infer huge downtime and financial costs for the targets unless the victims pay a huge ransom demand in Bitcoin.

Such types of attacks are called "DDoS extortions" or "DDoS-for-Bitcoin" and have first been seen in the summer of 2016.

Over the past years, such attacks have come and gone. Some DDoS extortionists groups delivered on their threats and attacked victims, but the vast majority of these extortion attempts only served empty threats.

However, the group active this month is one of the most dangerous seen since the beginning of this trend in 2016.

Some attacks peaked at 200 Gb/sec

In an update to its report added this Monday, on August 24, Akamai confirmed that the group launched complex DDoS attacks that, in some cases, peaked at almost 200 Gb/sec.

Our source, who requested anonymity for this article due to ongoing business relations, also confirmed that some of the attacks launched this week reached 50 to 60 Gb/sec.

The source also described the group as having "above-average DDoS skills."

While previous DDoS extortionists would often target their victims' public websites, this new group has repeatedly targeted backend infrastructure, API endpoints, and DNS servers -- which explains why some of the DDoS attacks this week have resulted in severe and prolonged outages at some of their targets.

For example, in the case of NZX, the group has repeatedly targeted Spark, the stock exchange's hosting provider, which has also resulted in downtime for the provider's other customers.

Furthermore, the group also showed its sophistication by often changing the protocols that were abused for the DDoS attacks, keeping defenders on their toes as to how the next attack would take place, and the protections they needed to roll out.

DDoS mitigation providers recommend that companies do not give in to these types of extortion attempts, and instead of paying the attackers, companies should reach out and contract their services instead.

Europol’s top hacking ring takedowns

Editorial standards