Threat Watch

New DDoS Gang Portraying Themselves as Fancy Bear

Unknown Group: An unknown group has been pretending to be the Russian threat actor group Fancy Bear. The group has been attacking the finance vertical by organizing Distributed Denial of Service (DDoS) attacks against financial institutions. First, the group will send a ransom note to the organization that tells the recipient to forward it to someone who “makes decisions” within the organization. The note reads that they are going to begin a DDoS attack on a certain date and time unless a ransom is paid to the group in Bitcoin. The note states that it is from Fancy Bear, which is a well-known state-sponsored threat actor group from Russia. The ransom demand recommends that the targeted organization should Google the Fancy Bear group, in an effort to take credit for the well-publicized exploits of the real Fancy Bear threat group. A trial run is carried out on a small range of IP addresses within the organization 30 minutes after the note is sent as a proof of concept that the group has the ability to carry out the attack. Instead of targeting the public-facing website, as most DDoS attacks usually do, these attacks have focused on back-end servers that typically do not have DDoS protection or mitigation services.  When back-end servers become unavailable, it typically causes more disruption than a DDoS attack against a public website.  Researchers at Link11, Radware, and Group-IB have all confirmed these attacks stating that there has been an increase in them over the past two weeks. Most of the attacks are being carried out in Singapore, South Africa, and some Scandinavian countries, but this does not mean the group will not target organizations outside those areas. Organizations have a week to pay the ransom after the note and trial DDoS attacks are done before a full-scale DDoS attack is started.


Financial institutions should consider protecting any public-facing server using a DDoS mitigation service, not just limiting protection to a website. It is highly likely that this is not Fancy Bear carrying out these attacks. Instead, this is likely the work of a group that is trying to intimidate their targets through impersonation of a well-known threat group. Unknowing people who receive the email and Google the group will be shocked when they start reading about the group, and likely feel they need to pay the ransom because of the attacks that the group is responsible for. It is not the modus operandi of Fancy Bear to send ransom emails or carry out DDoS attacks. This attack was seen previously in 2017 when the same note was used in a series of attacks on the finance industry, but no group ever took credit or was suspected of being involved in the attack. Those attacks eventually trailed off after many organizations realized they would not get attacked even if they did not pay the ransom. If a company receives this type of ransom email, they should consult with law enforcement and security professionals to determine the level of risk that is involved.