Eine kriminelle Gruppierung gibt sich in Drohschreiben als „Fancy Bear“ aus und versucht als Trittbrettfahrer diverse Firmen und Institutionen einzuschüchtern, um hohe Lösegeld-Zahlungen in Bitcoin zu fordern.
Die Angriffe bzw. Techniken für eine Verhinderung von Diensten („Distributed-Denial-of-Service“) und die Ziele (Backend-Server) wirken auf Sicherheitsforscher als bewusst und nicht zufällig ausgewählt.
Die Sicherheitsfirma „Link11” zeigt, wie so ein Drohschreiben aussehen kann: [Link11_Fancy-Bear_Erpressermail.pdf]
For the past week, a group of criminals has been launching DDoS attacks against companies in the financial sector and demanding ransom payments while posing as "Fancy Bear," the infamous hacking group associated with the Russian government, known for hacking the White House in 2014 and the DNC in 2016. The attacks, brought to ZDNet's attention by one of our readers, were confirmed today by Link11 and Radware, two companies that provide DDoS mitigation services and have documented similar "ransom denial-of-service" (RDOS) attacks in the past years. In an interview with ZDNet, Daniel Smith, Radware ERT researcher, said the attacks started last week and targeted the financial vertical. Smith said "the group is launching large scale, multi-vector demo DDoS attacks when sending victims the ransom letter." [...] According to a copy of the ransom letter [PDF] the group is sending victims, the fake Fancy Bear group is asking for payments of 2 bitcoin, which is about $15,000 at today's exchange rate. Link11's Thomas Pohle said these demo attacks are a mixture of different protocols, such as DNS, NTP, CLDAP, ARMS, and WS-Discovery. Furthermore, the extortionists appear to study and choose their targets in advance. Pohle said the DDoS attacks don't target companies' public website, but at their backend servers, which aren't usually protected by DDoS mitigation systems and cause downtimes -- and possibly intimidating victims. In addition, Pohle said that beyond the financial vertical, they've also seen some DDoS ransom attacks aimed at companies in the entertainment and retail business.