Hackers posing as notorious APT groups threaten organisations with DDoS attacks

The new and unidentified hacking group is masquerading as other, infamous groups to convince firms to pay its ransom demands

Researchers are continuing to see a rise in the number of extortion letters an unidentified group of hackers is sending to to organisations worldwide.

According to researchers from Radware, the group is threatening organisations with distributed denial of service (DDoS) attacks against their networks, unless they pay a ransom.

The researchers first warned organisations of this new global DDoS-related extortion campaign in August, stating that the group was specifically targeting entities the in finance, travel and e-commerce sectors. The ransom emails claimed to come from notorious advanced persistent threat (APT) groups such as Lazarus, Armada Collective and Fancy Bear, depending on the sector they were targeting.

The mails threatened to launch DDoS attacks of over 2 Tbps against the recipients if they did not pay between 10 and 20 Bitcoin ($115,000 - $230,000) by a specified date. The hackers also threatened to increase the figure by 10 BTC for each deadline missed.

The researchers noticed an increased level of activity in August, which lowered in the first half of September. However, the activity increased "significantly" in the last week of September and start of October.

In a post published on Wednesday, Intel471 researchers said that British foreign-exchange firm Travelex had also received a ransom letter from hackers.

"Following the extortion email, the threat actor conducted a volumetric attack on a custom port of four IP addresses serving the company's subdomains," the researchers said.

"Two days later, the attackers carried out another DNS amplification attack against Travelex using Google DNS servers."

Radware said that its researchers had noticed the criminals sometimes sent the extortion letter to a generic email address for an organisation. As a result, the letter did not immediately reach the right person; or, in some cases, even reached a foreign branch.

Researchers also noticed that the letter claimed to be from 'Lazarus Group' when the target was a financial organisation.

Lazarus is believed to be a North Korean state-sponsored group, which gained notoriety in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un.

Radware researchers also observed the new extortion campaign using the 'Fancy Bear' moniker while targeting manufacturing and technology firms.

"Fancy Bear typically does not resort to DDoS tactics and typically doesn't target technology or manufacturing organisations unless they are associated with government or political institutions and are seeking to infuse political influence or chaos, and not for financial gain by extortion," the researchers noted.

There is no way to communicate with this new hacking group, as they only provide a Bitcoin address to pay the ransom.

The researchers are advising organisations not to pay any ransoms, in case they receive an extortion letter.

"There is no guarantee blackmailers will honour the terms of their letter," they said.

"Paying only funds future operations, allows them to improve their capabilities and motivates them to continue the campaign."