Alerts

This attack is delivered in two phases: 

Phase 1: Email

The target company receives an email stating:

“We are the Fancy Bear and we have chosen [Company Name] as a target for our next DDoS attack,”

The email gives a deadline for when the major denial-of-service attack will occur demanding a ransom to prevent it.

Phase 2: Demonstrative denial-of-service

To make the campaign more believable, the attackers may initiate a short denial-of-service attack as a warning. These attacks generally last around 30 minutes.

So far, CERT NZ and international partners have not seen the attackers follow through with the major attack on the deadline provided in the email.

Before sending the email, the attackers research the target company and identify a back-end server, which usually isn’t protected by denial-of-service protection systems.

Ask your IT provider to check if any of your internet-facing systems expose protocols that are being targeted. Details of which protocols are targeted are on the technical version of this alert.

Technical advisory: DDoS extortion emails External Link

We recommend you do not pay the ransom, as this could result in your company becoming a target again.

To protect against denial-of-service attacks, you may need to work with your ISP, and use a denial-of-service protection service, such as Cloudflare or Akamai, to prevent the denial-of-service traffic from reaching your systems.

If you experience this attack, report it to us.

Report to CERT NZ External Link