Fake Lazarus DDoS Gang Launches New “Attacks”

Traditional ransomware attacks may have taken over the news cycle, but Proofpoint researchers say the malicious actors who presents themselves as the North Korean-backed Lazarus advanced persistent threat group have revamped their distributed denial-of-service ransom extortion strategy and rebranded the group with a new moniker.

See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce

“These names reference real APT groups that are nation-aligned or nation-sponsored, but there is no evidence that the extortion DDoS actor tracked in this blog has any association with those APT groups. They are simply leveraging the well-known names to scare their targets,” says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

The gang may be all talk and no action, as few DDoS attacks apparently take place and are simply attempting to take advantage of the fear ransomware has struck in companies to make a quick buck.

“While Proofpoint does not have visibility into the actual ‘Fancy Lazarus’ DDoS attacks and whether they are carried out, FBI reporting indicates that many affected companies that pass the threatened deadline either do not see any additional activity or the activity is successfully mitigated,” the company says.

The group went quiet during April, but recently reemerged, adding the name “Fancy Lazarus” to the list of names under which it operates which includes Lazarus, Lazarus Group, Fancy Bear and Armada Collective.

Additionally, Proofpoint notes that the gang has altered its ransom price structure and phishing email content in recent attacks while continuing to primarily target U.S. and global organizations.

It is also unknown if the gang’s tactic has resulted in any victims paying a ransom, says DeGrippo.

Back in Action

The gang first came to light in August 2020. As of May 12, 2021, Proofpoint researchers are tracking renewed DDoS extortion activity targeting an increasing number of industries, including the energy, financial, insurance, manufacturing, public utilities and retail, the report says.

The gang made changes in addition to its name. In the latest round of attacks, the group has returned to the original ransom notes it used in December and August 2020, when it told the victim to Google its name, which would likely bring up a story based on the real Lazarus threat group. The note then went on to say that if the victim declined to pay the ransom, Fancy Lazarus would launch a DDoS attack.

The gang first threatened a small DDoS attack to show the capability exists. Then if no payment was received within seven days, it threatened a larger “2TB per second” attack that would shut down the victim’s operation, Proofpoint says.

“The email content in the recent campaigns is similar to emails they sent in December 2020, indicating that version’s potential effectiveness,” says DeGrippo.

The security firm did not give an example of any other email content the gang utilized.

New Low Price!

The group also dropped the amount of ransom it demands. Its original price of 10 bitcoins has been reduced to 2 bitcoins.

“As bitcoin prices fluctuate, we see some change in their demand amounts, proving that cryptocurrency markets and malicious actor activity are absolutely correlated,” DeGrippo says. “Threat actors send their campaigns when the prices are most advantageous, attempting to make more money when the various currencies are at a high valuation.”