Unknown Group: An unknown group has been pretending to be the Russian threat actor group Fancy Bear. The group has been attacking the finance vertical by organizing Distributed Denial of Service (DDoS) attacks against financial institutions. First, the group will send a ransom note to the organization that tells the recipient to forward it to someone who “makes decisions” within the organization. The note reads that they are going to begin a DDoS attack on a certain date and time unless a ransom is paid to the group in Bitcoin. The note states that it is from Fancy Bear, which is a well-known state-sponsored threat actor group from Russia. The ransom demand recommends that the targeted organization should Google the Fancy Bear group, in an effort to take credit for the well-publicized exploits of the real Fancy Bear threat group. A trial run is carried out on a small range of IP addresses within the organization 30 minutes after the note is sent as a proof of concept that the group has the ability to carry out the attack. Instead of targeting the public-facing website, as most DDoS attacks usually do, these attacks have focused on back-end servers that typically do not have DDoS protection or mitigation services.  When back-end servers become unavailable, it typically causes more disruption than a DDoS attack against a public website.  Researchers at Link11, Radware, and Group-IB have all confirmed these attacks stating that there has been an increase in them over the past two weeks. Most of the attacks are being carried out in Singapore, South Africa, and some Scandinavian countries, but this does not mean the group will not target organizations outside those areas. Organizations have a week to pay the ransom after the note and trial DDoS attacks are done before a full-scale DDoS attack is started.