We are reaching out because over the last several weeks, there has been an increase in ransom-driven DDoS attack threats. Entities claiming to be Fancy Bear / Cozy Bear / Lazarus are threatening to launch DDoS attacks against organizations’ websites and network infrastructure unless a ransom is paid before a given deadline. Prior to the ransom note, a small DDoS attack is usually launched as a form of demonstration. The demonstration attack is typically a UDP reflection attack using a variety of protocols, lasting roughly 30 minutes in duration (or less).
An excerpt of the ransom note is here:
"We are the Fancy Bear and we have chosen
Your whole network will be subject to a DDoS attack starting at Monday (in 6 days). (This is not a hoax, and to prove it right now we will start a small attack on a few of your IPs that will last for 30 minutes."
The ransom note is typically sent to the common group email aliases of the company—i.e. [email protected], [email protected], [email protected], [email protected], [email protected], etc. In several cases, it has ended up in spam.
You can view a sample of the whole ransom note here. You can also view the FBI report here.
What to do if you receive a threat:
1.Do not panic and do not pay the ransom: Paying ransom only encourages bad actors—and there’s no guarantee that they won't attack your network now or later.
2. Notify local law enforcement: They will also likely request a copy of the ransom letter that you received.
How to prepare now for this threat:
1. Ensure your network infrastructure is protected: These attacks are targeting both web properties as well as network infrastructure. We have successfully mitigated these attacks for our customers through our core DDoS solution and Magic Transit (for IP infrastructure). If we can be helpful to you and your organization, we stand ready to help.
2. Enable DDoS alerts: If you are on a Cloudflare paid plan, you can be notified immediately in the case of an attack on your Cloudflare protected Internet-property. Click here to enable DDoS alerts from your dashboard.
3. Review our support docs: Learn best practices to secure your Cloudflare-enabled site and review how to respond to ransom notes threatening a DDoS attack here.