The Reemergence of Ransom-based Distributed Denial of Service (RDDoS) Attacks

Since the second half of 2020, Lumen Black Lotus Labs® has observed an unsettling number of entities receiving emails containing a threat of sustained DDoS attack unless a Bitcoin ransom was paid. These attacks – known as Ransom Distributed Denial of Service (RDDoS) – could not have come at a worse time, as many businesses have become entirely dependent on their internet connectivity to comply with COVID-19 restrictions imposed for safety or compliance with local law.

Quick Overview of Ransom DDoS; What it is and What it is Not

An RDDoS attack is a mechanism for cybercriminals to extort funds from a legitimate business by threatening to perform impactful DDoS attacks against them if they do not pay a ransom. One important factor that distinguishes RDDoS from other attacks such as ransomware is that an actor does not need to have privileged access to any systems in order to perform the attack. RDDoS attackers aim to exhaust all available resources of easily accessible networks, infrastructure or applications which, in turn, renders that service unavailable to legitimate users. These types of attacks can impair a business’s ability to operate and cause reputational harm if they are not addressed in a timely manner.

Black Lotus Labs has observed this type of activity before, dating as far back as 2016. The campaigns that transpired in 2020, however, were greater in number and duration.  In addition, many groups in the past never actually performed any DDoS attacks at all. In contrast with these previously hollow threats, today’s group of cybercriminals often perform a limited attack in order to prove their capability and malicious intent. These attacks have ranged from fifteen minutes to two hours and have typically been focused on organizations’ DNS servers or public websites. Once the attack is completed, the actor sends the malicious email and demands payment via Bitcoin to an actor-controlled wallet.

RDDoS Attack Case Studies: Armada Collective, Lazarus Group and Cozy Bear

The most prominent threat actor in the RDDoS space is an unnamed cybercrime group that claims to be well-established entities such as “Fancy Bear,” the “Armada Collective,” and “Lazarus Group.” More recently, they began incorporating the moniker “Cozy Bear.” Thus far, Black Lotus Labs has not observed any overlap between RDDoS activities and known APT activities, such as those associated with Fancy Bear, Cozy Bear, or the Lazarus Group.

The group behind this campaign garnered widespread notoriety when they started sending a wave of ominous emails around early August 2020. Some snippets from the ransom note can be viewed below, where they purported to be the Armada Collective on Aug. 11. One notable aspect of this message was the high cost of their demand: 5 Bitcoins, which was more than $50,000 based on the exchange rate the day the email was sent.

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.

All your servers will be DDoS-ed starting next Monday (August 17^th, 2020, 6 days later) if you don’t pay 5 Bitcoins @ [Bitcoin wallet]

…

If you don’t pay by Monday, attack will start, price to stop will increase to 10 BTC and will go up 5 BTC for every day of attack.

If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.

This is not a joke.

Our attacks are extremely powerful – sometimes over 1.5 Tbps per second. So, no cheap protection will help.

Do not reply, we will probably not read. Pay and we will know it’s you. AND YOU WILL NEVER AGAIN HEAR FROM US!

The first ransom note referenced above was received after a two-hour-long attack. During this time, we observed a spike in UDP-based traffic originating from port 37810. This port is associated with CCTV network cameras that are exposed to the internet. This allowed the attacker to perform a reflective UDP-based attack, utilizing the open services running on these devices. Attacks using this port are not a new technique; it was previously used in IoT-based DDoS attacks as early as 2016.

This group escalated their tactics and rose in prominence a few weeks later when an attack on the New Zealand stock exchange knocked it offline for two days beginning Aug. 26. The length of this attack was unusual when compared with other victims, and either suggests the actors were attempting to establish headlines to increase the likelihood of payment, or that this was, in fact, another actor group operating at the same time.

We suspect that this attack was the catalyst for the timing of a U.S. FBI Flash Alert, which was released two days later on Aug. 28. This alert outlined the RDDoS activity and labeled it a serious threat that had impacted “several organizations.”

To capitalize on the news headlines, the threat actor referenced the New Zealand stock exchange attack in subsequent ransom notes. A snippet from the new ransom note is referenced below:

Please perform a google search for “Lazarus Group” to have a look at some of our previous work.

Also, perform a search for “NZX” or “New Zealand Stock Exchange” in the news. You don’t want to be like them, do you?

The threat actor also raised its demands to an exorbitant cost of 20 bitcoins. At the time, Sept. 2, that demand equated to over $200,000 based upon the exchange rate to U.S. dollars. These ransom notes were subsequently received after an organization experienced an Apple Remote Management Service (or ARMs) UDP reflective DDoS attack. Reports about this type of attack have been observed as far back as 2019. In the weeks that followed, Black Lotus Labs observed this same technique being used on other organizations in the financial sector such as international stock exchanges; however, no prolonged attacks have been observed.

One of the more recent campaigns associated with this threat actor commenced on Oct. 24. In this campaign, the actor chose the display name “Fancy Bear” and sent emails to victims from the domain covidpapers[.]org. A few days later, on Oct. 27, the actors sent out another wave of emails purporting to be “Cozy Bear” from the domain coronaxy[.]com. This differed from prior campaigns which used free email providers such as ProtonMail and PrivateMail. While these campaigns impersonated different threat actors, the bodies of the emails were the same.

The threat actor made the same claim as before – to launch a DDoS attack if the victim’s organization if they did not pay by Nov. 2 (nine days later). The only difference was that the entity lowered its demand to just over $1,000 (USD) in Bitcoins (BTC). These emails were sent to organizations across multiple verticals and countries. While there is no evidence that this was associated with recent U.S. elections, Black Lotus Labs did observe that a county elections board received the threatening notice. This shows that the actors were broadly targeting their notes in what we believe was an attempt to maximize profits.

Another notable feature of the campaign was that the same Bitcoin wallet ID was sent to multiple organizations. This particular aspect of sending one wallet ID to multiple organizations (in lieu of assigning a unique wallet to each organization) meant that the actor had no clear way of understanding which victim had or had not made payment against their ransom. This means they were extremely unlikely to return for a sustained attack, as there was no way for the threat actor to discern the source of any payment.

Introducing the Kadyrovtsy

Likely due to their success, we are now seeing other criminals trying to monetize this same RDDoS crime. One group that we recently observed has used the display name “The Kadyrovtsy,” At this time, we believe that this entity is operating independently of the previously mentioned cybercrime entity. Snippets from a ransom note sent on Nov. 18 and associated with this particular group can be found below:

now we run small attack demo on only small part of network for 3 hours to proof we are not bluff

in not payed after Monday total attack start for long time on all your network and you lose badly and we rise price to stop it

if you pay well no attack more and you never hear us again

This note was sent after a DDoS attack against the recipient that lasted three and half hours. The attack used multiple types of DDoS techniques, such as previously discussed NTP amplification attack, WS-Discovery, and UDP traffic from vulnerable IoT routers. At its peak, the attack generated a little over 200 Gbps. While this attack was rather moderate in the amount of traffic it generated, we believe that this demonstrates that the RDDoS problem is unlikely to go away.

General RDDoS Guidance and Considerations

While the area of RDDoS is still in its adolescence compared to more established cybercrimes, Black Lotus Labs assesses that this type of threat is likely to continue to impact organizations for the foreseeable future. As is evident with the emergence of The Kadyrovtsy, we suspect that RDDoS will likely expand to become another facet of the cybercrime landscape.

We recommend that organizations NOT pay the ransom demand, as paying only further fuels this illicit business model. Even if a company does pay, there are no assurances that the criminal organization would then stop their attack. Similarly, even if an organization pays off one group, the victim could subsequently receive another ransom note from a different cybercrime group.

To best protect against DDoS attacks, companies should consider a DDoS mitigation service, which helps prevent attack traffic from overwhelming resources. Companies can also consider deploying applications across highly distributed infrastructure, or working to make it difficult to enumerate their public infrastructure.

Black Lotus Labs will continue use its visibility into attacks and Bitcoin trading to track these actors and their activity. In addition, we will continue our work to raise the costs for cybercriminals by reporting and removing attack infrastructure and wallets.

Learn more about how Black Lotus Labs is a defender of a clean internet.

This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. ©2021 Lumen Technologies. All Rights Reserved.