The FBI has issued an advisory to businesses over a recent string of DDoS extortion attempts. The perpetrators are claiming to be affiliated with Anonymous or Lizard Squad, and their demands threaten sustained attacks unless a Bitcoin payment is made.
Between April and May of 2017, the FBI says at least six companies received emails claiming to be from “Anonymous” or “Lizard Squad” making threats of DDoS attacks within 24-hours unless the company paid a ransom demand in Bitcoin.
“The email stated the demanded amount of Bitcoin would increase each day the amount went unpaid. No victims to date have reported DDoS activity as a penalty for non-payment,” the FBI alert goes on to explain.
This week, the FBI says they’ve investigated hundreds of these cases, including several in Indiana – home to several major companies, the Indy 500, and this reporter.
However, there has been no indication of attacks. When the targeted organization fails to meet the deadline or refuses to pay, those responsible for the demands fade into the background and the promised DDoS never happens.
So, while the extortion attempts are turning out to be empty threats for now, that wasn’t always the case. In fact, it’s likely the people responsible for the most recent threats are using the ‘Anonymous’ and ‘Lizard Squad’ brands because they’ve been associated with DDoS attacks in the past.
Most administrators will remember the panic that swept through enterprise and SMB channels when Anonymous was using DDoS as their primary means of protest in 2010, something they still do to this day. Lizard Squad is notorious for their DDoS attacks against Microsoft (Xbox Live) and Sony (PlayStation Network) in 2014, and the DDoS against the U.K.’s National Crime Agency in 2015.
Old trick, different day:
These recent extortion demands aren’t the first of their kind. Someone claiming to be ‘Lizard Squad’ demanded nearly $2,700 USD via Bitcoin in 2016 from at least 20 different businesses in the U.K. under the threat of DDoS attacks. However, as was the case with these most recent threats, missed deadlines or refusal to pay didn’t result in an actual attack.
And yet, in 2015, the extortion attempts were anything but empty threats. Back then, the attacks started with a DDoS at 20 to 40 Gbps, usually lasting about 60-minutes. This was a demonstration, which was immediately followed by a ransom demand. Failure to pay within 24-hours would result in another, stronger demonstration, and an additional demand. At the time, most victims were able to mitigate the attacks using third-party defenses.
According to previous warnings from the FBI, extortionists behind actual DDoS attacks usually initiate Simple Service Discovery Protocol (SSDP) and Network Time Protocol (NTP) attacks. They’ve also been known to use SYN-flooding and WordPress XML-RPC. In all cases they leverage reflection, or amplification techniques, sometimes both.
Another extortion group that has earned a good deal of infamy is DD4BC or DDoS 4 Bitcoin.
The group has been tied to a number of extortion scams stretching as far back as 2014, but they’ve also dabbled in blackmail – where they threatened to expose people caught in the Ashley Madison hack.
In early 2016, Europol announced that two people associated with the group had been raided, but it isn’t clear if that was the entire operation or if others have remained at-large. Since the raid, the group has been silent.
For those facing these types of threats, the FBI strongly urges IT managers and business leaders to – not – pay the ransom demands.
Instead, the best advice is to have a DDoS mitigation strategy in place, and an incident response plan that includes such strategies, which are tested before they’re needed.
Other general tips from the FBI alert include:
- Backup and recovery plans, wherein the critical data is stored offsite, and cannot be accessed from the local network.
- Make sure upstream firewalls can deal with incoming UDP, including the ability to block this traffic at a moment’s notice.
- If you’re a target of these extortion demands, make sure to keep all of the original email messages with headers, and if attacked, maintain a detailed timeline that includes times and content if applicable.