‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts

The group, known for masquerading as various APT groups, is back with a spate of attacks on U.S. companies.

A distributed denial-of-service (DDoS) extortion group has blazed back on the cybercrime scene, this time under the name of “Fancy Lazarus.” It’s been launching a series of new attacks that may or may not have any teeth, researchers said.

The new name is a tongue-in-cheek combination of the Russia-linked Fancy Bear advanced persistent threat (APT) and North Korea’s Lazarus Group. The choice seems natural, given that the gang was last seen – including in a major campaign in October – purporting to be various APTs, including Armada Collective, Fancy Bear and Lazarus Group.

According to Proofpoint, this time around the gang has been sending threatening, targeted emails to various organizations, including those operating in the energy, financial, insurance, manufacturing, public utilities and retail sectors – asking for a two-Bitcoin (BTC) starting ransom (around $75,000) if companies want to avoid a crippling DDoS attack. The price doubles to four BTC after the deadline, and increases by one BTC each day after that. The targets are mostly located in the U.S.

While it’s hard to make a definitive correlation, the timing of some of the Fancy Lazarus campaigns correspond with high-profile ransomware attacks over the past six months, in terms of targeting the same vertical industries, according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

“These include utility, natural gas and manufacturing,” she told Threatpost. “This could be an attempt to ride the coattails of high-profile news stories and result in a higher likelihood of payment. Another trend we have seen over the past four months are a focus on sending these threats to financial institutions and large insurance providers.”

Email Campaign Details

The emails announce that the organization is being targeted by Fancy Lazarus, and they threaten a DDoS attack in seven days if the target doesn’t pay up, according to an analysis on Thursday from Proofpoint. The messages also warn of potential damage to reputation and loss of internet access at offices, and then promise that a “small attack” will be launched on a specific IP, subnet or Autonomous System with an attack of 2Tbps, as a preview of things to come.

The emails are either in plain text, HTML-based or present the letter in an embedded .JPG image – likely a detection-evasion technique, Proofpoint noted.

“The emails are typically sent to well researched recipients, such as individuals listed as contacts in Border Gateway Protocol (BGP) or Whois information for company networks,” according to Proofpoint’s analysis. “The emailed individuals also work in areas such as communications, external relations, investor relations. Additionally, extortion emails are often sent to email aliases such as help desk, abuse, administrative contacts or customer service.”

Meanwhile, the sender email is unique to each target. They use a random “first name, last name” convention for the ender, using fake names.

The ransom note. Source: Proofpoint.

Some of this is a change in tactics from previous campaigns by the group. For instance, Proofpoint noted that the starting ransom was 10 or 20 BTC in 2020 campaigns – a change that was made likely to account for exchange-rate fluctuations. In October for instance, a 20-BTC demand translated to $230,000.

Also, previously the sender names on the emails often contained the name of an APT that was in the headlines, such as Fancy Bear; or, they included the targeted company’s CEO name.

Sometimes a Hoax?

It’s unknown whether the group always follows through on its threat to launch massive DDoS attacks. An FBI alert on the group from last August said that while the group had taken aim at thousands of organizations from multiple global industry verticals by that point, many of them saw no further activity after the deadline expired – or, they were able to easily mitigate it.

In some cases though, such as was the case with Travelex, “the threat actor conducted a volumetric attack on a custom port of four IP addresses serving the company’s subdomains, according to Intel471 researchers writing last year. Two days later, the attackers carried out another DNS amplification attack against Travelex using Google DNS servers, the firm reported.

“While FBI reporting indicates they do not always follow through on their threat of a DDoS, there have been several prominent institutions that have reported an impact to their operations and other impacted companies have just been successful at mitigating the attacks,” DeGrippo said. “This type of behavior keeps them more closely aligned with that of a cybercriminal versus a scam artist.”

In any case, it’s important for companies and organizations to be prepared by having appropriate mitigations in place such as using a DDoS protection service and having disaster recovery plans at the ready, she added.

Ransom DDoS: A Growing Tactic

Ransom DDoS is not a recent development, but it has become more popular of late, according to DeGrippo, thanks to the mainstreaming of Bitcoin and Ethereum.

“While RDDoS existed earlier this type of extortion likely did not catch on until, in part, the adoption of cryptocurrency, which allowed the threat actors a safer means to receive payment,” she told Threatpost. “These kinds of campaigns have been done in an organized fashion for the past year.”

She added that Fancy Lazarus’ choice to align its ransom demand with the fluctuating price of cryptocurrency is notable.

“As Bitcoin prices fluctuate, we see some change in their demand amounts, proving that cryptocurrency markets and malicious actor activity are absolutely correlated,” she said. “This has been the case since at least 2016 in the early days of large-scale ransomware. Threat actors send their campaigns when the prices are most advantageous, attempting to make more money when the various currencies are at a high valuation. Other actors use other cryptocurrencies like Ethereum, but Bitcoin continues to be the massively popular coin of choice for malicious threat actors.”

While it’s impossible to know the success rate of the Fancy Lazarus campaigns, “given the potentially substantial financial payoff for relatively little work on the threat actor’s part, a low success rate would still make this a worthwhile tactic,” DeGrippo noted.

One trend to watch is the addition of ransomware to the mix going forward. In February, the REvil ransomware gang started adding DDoS attacks to its efforts, in an effort to ratchet up the pressure to pay.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles