Edition ZDNet reported that unknown fraudsters posing as a Russian-speaking group hack Fancy Bear and blackmailing the organization of the financial sector, threatening them of DDoS-attacks. Also, the victims of the ransomware were companies operating in the entertainment and retail business.
One of the readers told reporters about the blackmailers, and soon this information was confirmed by specialists from Link11 and Radware, which provide services to protect against DDoS attacks. For example, Radware expert Daniel Smith reported that the extortion attacks began last week and were mainly directed against financial institutions.
Interestingly, unlike other similar cases, hacker threats are not entirely unfounded. Analysts confirm that the group has indeed launched multi-vector demo DDoS attacks on companies when it demands a ransom from them. According to Link11 expert Thomas Pohle, these demo attacks use a mixture of different protocols, including DNS, NTP, CLDAP, ARMS, and WS-Discovery.
According to the ransomware message that the attackers send to their targets, the fake Russian hackers are demanding the payment of 2 bitcoins, which is approximately $ 15,000 at the current exchange rate. Otherwise, if companies do not pay within a week, they are threatened with powerful and long lasting DDoS attacks. So far, no such attack has been recorded.
According to experts, ransomware studies and chooses their targets in advance. The fact is that, according to Paul, DDoS attacks are not directed at companies' websites, but at their internal servers, which usually do not have protection against DDoS attacks and are idle as a result of such "close attention" from criminals.
The researchers note that the ransom letters sent out by the attackers are almost identical to other ransomware messages used in 2021 by other scammers who also impersonated the Fancy Bear group.
Let me remind you that 2015-2021 could be called the heyday of extortionary DDoS attacks and imitators of well-known hack groups. For example, then imitators posed as the Armada Collective, as well as such notorious groups as Anonymous, LulzSec, Hackers New World, Lizard Squad and Fancy Bear.
Ultimately, this activity practically ceased, as the victims of the blackmailers realized that most ransomware did not have the "firepower" to implement their threats and organize real DDoS attacks. Unlike those impersonators, the attackers now posing as Fancy Bear appear to have a real botnet at their disposal, although it is not yet clear what it is capable of.
