Cybercriminals claiming to be Fancy Bear and Armada Collective have been observed to be threatening organizations from different sectors with distributed denial of service (DDoS) attacks. They are trying to extort money from the organization by demanding ransom payment in order to prevent the alleged DDoS attacks. The threat actors sent extortion emails to target organizations threatening to launch a DDoS attack, that can reach up to two (2) Terabyte per second, and emphasizes the damage such an attack would cause to the organization’s reputation and services. It was also stated in the extortion email that the organization must not disclose the demand publicly or report it to the media, it warned that by doing so would result in the immediate launch of the attack.


A. Nature of Attack

Security researchers estimate that the cybercriminals are just copycats and are not associated with the infamous groups. The groups only use the names of well-known threat actors to leverage their reputation and induce fear and panic to their target organizations. In addition, this kind of scheme is not new, and a similar campaign has been conducted in the past, where in an extortion group pose as Cozy Bear, an APT group, and contacted several companies warning them of an imminent DDoS attack on their infrastructure, unless a ransom was paid.


B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Should you receive a similar extortion email, do not pay any ransom demand; activate your DDoS protection solution (if you have) and notify your upstream Internet provider of the threat.
  • Increase awareness regarding high volume traffic.
  • Prepare a replacement (backup) website and an auxiliary server in case your systems are disrupted.
  • Ensure all security systems are updated and synchronized.