Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Fri, Jun 23rd):Obfuscation Techniques;

Latest Diaries

Fake DDoS Extortions Continue. Please Forward Us Any Threats You Have Received.

Published: 2017-06-23
Last Updated: 2017-06-23 11:24:50 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

We do continue to receive reports about DDoS extortion e-mail. These e-mails are essentially spammed to the owners of domains based on whois records. They claim to originate from well-known hacker groups like "Anonymous" who have been known to launch DDoS attacks in the past. These e-mails essentially use the notoriety of the group's name to make the threat sound more plausible. But there is no evidence that these threats originate from these groups, and so far we have not seen a single case of a DDoS being launched after a victim received these e-mails. So no reason to pay :)

Here is an example of an e-mail (I anonymized some of the details like the bitcoin address and the domain name)

We are Anonymous hackers group.
Your site [domain name] will be DDoS-ed starting in 24 hours if you don't pay only 0.05 Bitcoins @ [bit coin address]
Users will not be able to access sites host with you at all.
If you don't pay in next 24 hours, attack will start, your service going down permanently. Price to stop will increase to 1 BTC and will go up 1 BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - over 1 Tbps per second. No cheap protection will help.
Prevent it all with just 0.05 BTC @ [bitcoin address]
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

This particular e-mail was rather cheap. Other e-mails asked for up to 10 BTC. 

There is absolutely no reason to pay any of these ransoms. But if you receive an e-mail like this, there are a couple of things you can do:

  • Verify your DDoS plan: Do you have an agreement with an anti-DDoS provider? A contact at your ISP? Try to make sure everything is set up and working right.
  • We have seen these threats being issued against domains that are not in use. It may be best to remove DNS for the domain if this is the case, so your network will not be affected. 
  • Attackers often run short tests before launching a DDoS attack. Can you see any evidence of that? A brief, unexplained traffic spike? If so, then take a closer look, and it may make the threat more serious if you can detect an actual test. The purpose of the test is often to assess the firepower needed to DDoS your network

And please forward any e-mails like this to us. It would be nice to get a few more samples to look for any patterns. Like I said above, this isn't new, but people appear to still pay up to these fake threats.

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Obfuscating without XOR
Jun 22nd 2017
1 day ago by Xme (0 comments)

It has been a month and a bit how is your new patching program holding up?
Jun 21st 2017
1 day ago by Mark (2 comments)

Windows Error Reporting: DFIR Benefits and Privacy Concerns
Jun 20th 2017
2 days ago by Johannes (0 comments)

As Your Admin Walks Out the Door ..
Jun 20th 2017
3 days ago by Rob VandenBrink (4 comments)

Mapping Use Cases to Logs. Which Logs are the Most Important to Collect?
Jun 17th 2017
6 days ago by Guy (1 comment)

What is going on with Port 83?
Jun 16th 2017
6 days ago by Lorna (1 comment)

View All Diaries →

Latest Discussions

TCP/9000 on the rise
created May 31st 2017
3 weeks ago by Jens (1 reply)

Broken link to handlers.sans.org
created May 30th 2017
3 weeks ago by Anonymous (0 replies)

New Option of Software and Cyber Security
created May 28th 2017
3 weeks ago by Jeff (0 replies)

SANS PGP Public Keys
created May 28th 2017
3 weeks ago by Vincent (2 replies)

Advice needed
created May 28th 2017
3 weeks ago by FNG (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
1 month ago by Bojan (6 comments)

Massive wave of ransomware ongoing
May 15th 2017
1 month ago by Xme (10 comments)

Malspam with password-protected Word documents
Mar 21st 2017
3 months ago by Brad (13 comments)

Dyn.com DDoS Attack
Oct 21st 2016
8 months ago by Johannes (9 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
4 months ago by Johannes (7 comments)