Financial sector targeted in blackmail campaign
We have received reports of extortion emails targeting companies within the financial sector in New Zealand.
The emails claim to be from a Russian group called ‘Fancy Bear / Cozy Bear’ and demand a ransom to avoid denial-of-service attacks. They carry out a short denial-of-service attack against a company’s IP address to demonstrate their intent. So far, a larger denial-of-service hasn’t happened if the ransom is not paid.
This attack is delivered in two phases:
Phase 1: Email
The target company receives an email stating:
“We are the Fancy Bear and we have chosen [Company Name] as a target for our next DDoS attack,”
The email gives a deadline for when the major denial-of-service attack will occur demanding a ransom to prevent it.
Phase 2: Demonstrative denial-of-service
To make the campaign more believable, the attackers may initiate a short denial-of-service attack as a warning. These attacks generally last around 30 minutes.
So far, CERT NZ and international partners have not seen the attackers follow through with the major attack on the deadline provided in the email.
What this means
Before sending the email, the attackers research the target company and identify a back-end server, which usually isn’t protected by denial-of-service protection systems.
What to look for
How to tell if you're at risk
Ask your IT provider to check if any of your internet-facing systems expose protocols that are being targeted. Details of which protocols are targeted are on the technical version of this alert.
What to do
We recommend you do not pay the ransom, as this could result in your company becoming a target again.
To protect against denial-of-service attacks, you may need to work with your ISP, and use a denial-of-service protection service, such as Cloudflare or Akamai, to prevent the denial-of-service traffic from reaching your systems.
If you experience this attack, report it to us.