Fancy Bear DDoS attacks against organizations' websites are growing

Cybercriminals from Russia are trying to demand money from financial institutions, organizations, and other industries worldwide

Fancy Bear is trying to demand money from organizations.

Fancy Bear cybercriminal group became even more active than before. According to the cybersecurity research team, ransom-driven DDoS attack threats have increased for the last several weeks. Cybercriminals are trying to lure money from organizations, financial institutions, and other industries by saying that they will launch DDoS attacks if the ransom is not paid. They give a strict deadline for the organization – typically, 6 days – to send money.

Fancy Bear launches a small DDoS attack before delivering a ransom note to demonstrate to victims that threats are serious. In most cases, the demonstration attack is a UDP reflection attack^[1], which lasts about 30 minutes or less. Fancy Bear,^[2] also known as APT28, is a group of hackers most likely based in Russia. They have started its operations in 2004, and its main targets remain government, military, and security organizations all around the world.

Cybercriminals reach organizations through common email addresses

Typically, Fancy Bear is trying to spread its threats through emails. The group sends a ransom note to the commonly used company's email addresses, such as support@, help@, abuse@, noc@, etc. Sometimes these emails end up in the spam folder, therefore not all organizations notice them at first.

Here is the fragment of the ransom note:^[3]

We are the Fancy Bear and we have chosen <company name> as target for our next DDoS attack.

Your whole network will be subject to a DDoS attack starting at Monday (in 6 days). (This is not a hoax, and to prove it right now we will start a small attack on a few of your IPs that will last for 30 minutes.

Of course, the organization should never pay the ransom. According to cybersecurity specialists, there is no guarantee that Fancy Bear or any other group won't attack the network even if the organization agrees to give money. Moreover, paying ransom only encourages hackers to plan more attacks in the future. The best decision is to notify local law enforcement and think about the better security implementation of a website and network infrastructure.

Fancy Bear is known for numerous attacks

The group has been active since 2004. In most cases, one of the oldest hacking group uses spear-phishing campaigns, zero-day exploits, and malware. It's not surprising that the activities of this cybercriminal gang have been recorded, analyzed, and classified in a large number of cybersecurity reports.

For example, in 2018, Fancy Bear was behind a VPN Filter malware attack that affected 500,000 routers made by Linksys, Netgear, TP-Link, and MikroTik. After this attack, the FBI recommended^[4] restarting all routers in small offices and homes even if they weren't among the affected brands.

Fancy Bear is also known as a Russian cyber espionage group. Hackers already targeted Eastern European militaries and governments, security-related organizations, journalists, etc. Cybercriminals became even more famous for hacking Democratic National Committee emails to influence the US 2016 presidential elections.^[5]

According to security firm Radware, which published some of the extortion notes, the North Korean cybercriminal group Lazarus is also involved in the DDoS/ransom-demanding attack. Therefore, all institutions, organizations, and home users should always think about their security on the internet, and the network infrastructure should be protected at all times.