Companies worldwide have continued to receive extortion emails threatening to launch a distributed denial-of-service (DDoS) attack on their network, unless they pay up – with British foreign-exchange company Travelex reportedly being one recent high-profile threat recipient.

Researchers said that since mid-August, several companies have been sent emails that warn that their company network will be hit by a DDoS attack in about a week. The initial ransom demand is set at 20 BTC – which translates to about $230,000 at the time of writing – and cybercriminals threaten to increase that ransom by 10 BTC for each day not paid, said researchers.

While a high level of activity was first tracked in August, that activity then slowed down in the first half of September – only to “grow significantly” in the end of September and beginning of October, Radware researchers told Threatpost.

Travelex (which has undergone its fair share of security woes over the past year, starting with a New Year’s ransomware attack) was one such org threatened with a DDoS attack, unless it paid 20 bitcoins (BTC), Intel471 researchers reported on Tuesday. A bitcoin wallet address in the email shows that Travelex did not pay the attackers at any point, they said.

“Following the extortion email, the threat actor conducted a volumetric attack on a custom port of four IP addresses serving the company’s subdomains,” according to Intel471 researchers. “Two days later, the attackers carried out another DNS amplification attack against Travelex using Google DNS servers.”

Threatpost has reached out to Travelex for further comment on the DDoS extortion threat.

Ongoing DDoS Extortion Threats

While the ransom DDoS campaign has been ongoing since August and has received widespread coverage, researchers with Radware said in a Wednesday post that they are continuing to see companies worldwide receive the extortion emails – and that attackers are becoming more sophisticated.

“There is no way to communicate with the blackmailers, so there is no option to negotiate and the only way to get a message through is by sending BTC to the bitcoin address mentioned in the letter,” researchers said.

The extortion emails claim that the threat group has already launched a small DDoS attack on the victim’s IPs (of the ASN number mentioned in the letter) to give the threat legitimacy. The attackers also claim that they have the ability to perform volumetric attacks that peak at 2Tbps – almost reaching the levels of the 2.3Tbps attack targeting an Amazon Web Services client in February that was the largest volumetric DDoS attack on record.

**“**These threats are not hoaxes, and the actors have followed up with attacks,” Pascal Geenens, director of threat intelligence at Radware, told Threatpost. “While we have not observed the 2TBps attack threatened in the letter included the report, organizations have seen attacks ranging up to 300GBps and combining multiple attack vectors. These attacks can be devastating for many organizations.”

#hacks #vulnerabilities #web security #armada collective #bitcoin #ddos #distributed denial of service #extortion #fancy bear #lazarus group #ransom #ransomware #travelex