We highlight current cyber security threats in New Zealand, and provide guidance on what to do if they affect you.

3:15pm, 1 November 2019

TLP Rating: Clear

Financial sector targeted in blackmail campaign

We have received reports of extortion emails targeting companies within the financial sector in New Zealand.

The emails claim to be from a Russian group called ‘Fancy Bear / Cozy Bear’ and demand a ransom to avoid denial-of-service attacks. They carry out a short denial-of-service attack against a company’s IP address to demonstrate their intent. So far, a larger denial-of-service hasn’t happened if the ransom is not paid.

What's happening

Systems affected

This attack is delivered in two phases: 

Phase 1: Email

The target company receives an email stating:

“We are the Fancy Bear and we have chosen [Company Name] as a target for our next DDoS attack,”

The email gives a deadline for when the major denial-of-service attack will occur demanding a ransom to prevent it.

Phase 2: Demonstrative denial-of-service

To make the campaign more believable, the attackers may initiate a short denial-of-service attack as a warning. These attacks generally last around 30 minutes.

So far, CERT NZ and international partners have not seen the attackers follow through with the major attack on the deadline provided in the email.

What this means

Before sending the email, the attackers research the target company and identify a back-end server, which usually isn’t protected by denial-of-service protection systems.

What to look for

How to tell if you're at risk

Ask your IT provider to check if any of your internet-facing systems expose protocols that are being targeted. Details of which protocols are targeted are on the technical version of this alert.

Technical advisory: DDoS extortion emails External Link

What to do


We recommend you do not pay the ransom, as this could result in your company becoming a target again.

To protect against denial-of-service attacks, you may need to work with your ISP, and use a denial-of-service protection service, such as Cloudflare or Akamai, to prevent the denial-of-service traffic from reaching your systems.


If you experience this attack, report it to us.

Report to CERT NZ External Link

More information

For CERT NZ media enquiries, email our media desk at or call the MBIE media team on 027 442 2141.

What is denial-of-service? External Link