Fake DDoS Extortions Continue. Please Forward Us Any Threats You Have Received.

Published: 2017-06-23. Last Updated: 2017-06-23 11:24:50 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

We do continue to receive reports about DDoS extortion e-mail. These e-mails are essentially spammed to the owners of domains based on whois records. They claim to originate from well-known hacker groups like "Anonymous" who have been known to launch DDoS attacks in the past. These e-mails essentially use the notoriety of the group's name to make the threat sound more plausible. But there is no evidence that these threats originate from these groups, and so far we have not seen a single case of a DDoS being launched after a victim received these e-mails. So no reason to pay :)

Here is an example of an e-mail (I anonymized some of the details like the bitcoin address and the domain name)

We are Anonymous hackers group.
Your site [domain name] will be DDoS-ed starting in 24 hours if you don't pay only 0.05 Bitcoins @ [bit coin address]
Users will not be able to access sites host with you at all.
If you don't pay in next 24 hours, attack will start, your service going down permanently. Price to stop will increase to 1 BTC and will go up 1 BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - over 1 Tbps per second. No cheap protection will help.
Prevent it all with just 0.05 BTC @ [bitcoin address]
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

This particular e-mail was rather cheap. Other e-mails asked for up to 10 BTC. 

There is absolutely no reason to pay any of these ransoms. But if you receive an e-mail like this, there are a couple of things you can do:

  • Verify your DDoS plan: Do you have an agreement with an anti-DDoS provider? A contact at your ISP? Try to make sure everything is set up and working right.
  • We have seen these threats being issued against domains that are not in use. It may be best to remove DNS for the domain if this is the case, so your network will not be affected. 
  • Attackers often run short tests before launching a DDoS attack. Can you see any evidence of that? A brief, unexplained traffic spike? If so, then take a closer look, and it may make the threat more serious if you can detect an actual test. The purpose of the test is often to assess the firepower needed to DDoS your network

And please forward any e-mails like this to us. It would be nice to get a few more samples to look for any patterns. Like I said above, this isn't new, but people appear to still pay up to these fake threats.

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

Keywords:
2 comment(s)
ISC Stormcast For Friday, June 23rd 2017 https://isc.sans.edu/podcastdetail.html?id=5556

Comments


Diary Archives