We are reaching out because over the last several weeks, there has been an increase in ransom-driven DDoS attack threats. Entities claiming to be Fancy Bear / Cozy Bear / Lazarus are threatening to launch DDoS attacks against organizations’ websites and network infrastructure unless a ransom is paid before a given deadline. Prior to the ransom note, a small DDoS attack is usually launched as a form of demonstration. The demonstration attack is typically a UDP reflection attack using a variety of protocols, lasting roughly 30 minutes in duration (or less).
An excerpt of the ransom note is here: We are the Fancy Bear and we have chosen as target for our next DDoS attack.
Your whole network will be subject to a DDoS attack starting at Monday (in 6 days). (This is not a hoax, and to prove it right now we will start a small attack on a few of your IPs that will last for 30 minutes. _
The ransom note is typically sent to the common group email aliases of the company—i.e. noc@, support@, help@, legal@, abuse@, etc. In several cases, it has ended up in spam.
You can view a sample of the whole ransom note. You can also view the [FBI report here. ](https://info.cloudflare.com/rs/713-XSC-918/images/FBI_Flash.pdf?utm_medium=email&utm_source=nrt&utm_campaign=exg420s-gedd-ransom-ddos&mkt_tok=eyJpIjoiWm1VMU1EazVNbVkzTW1ZeCIsInQiOiJcLzlRZnZKakFpZ0hUWlQzc2xqdXVmKzlzOVM0TW5NVTNtYkRpMHVnTk5PUThaUGxHOHhBdW92b01mbWtHeUk4TW9SYjhcL1R2QlVzZVwvWUFzOUh6U1dQSDdcL1ZROVFXU2k5QmlqdnVuYWp0NzFRamJmUXBcLzgyRFRQZTVuUHowNFVVIn0%3D\)
What to do if you receive a threat: 1.Do not panic and do not pay the ransom: Paying ransom only encourages bad actors—and there’s no guarantee that they won’t attack your network now or later. 2. Notify local law enforcement: They will also likely request a copy of the ransom letter that you received.
How to prepare now for this threat:
1. Ensure your network infrastructure is protected: These attacks are targeting both web properties as well as network infrastructure. We have successfully mitigated these attacks for our customers through our core DDoS solution and [Magic Transit](https://www.cloudflare.com/magic-transit/?\) (for IP infrastructure). If we can be helpful to you and your organization, we stand ready to help.
2. Enable DDoS alerts: If you are on a Cloudflare paid plan, you can be notified immediately in the case of an attack on your Cloudflare protected Internet-property. Click here to enable DDoS alerts from your dashboard.
3. Review our support docs: Learn best practices to secure your Cloudflare-enabled site and review how to respond to ransom notes threatening a DDoS attack [here](https://support.cloudflare.com/hc/en-us/articles/200170196-Responding-to-DDoS-attacks?\)
Quick Links
Legal Stuff