RDoS attacks by fake Fancy Bear hit banks in multiple locations

Anastasiya Tikhonova
Head of APT Research at Group-IB
In 2017, security researches spotted a wave of ransom denial-of-service (RDoS) campaigns. The extortionists distributed emails threatening DDoS attacks unless the ransom is paid. They used the names of different threat actors, including Fancy Bear, to inspire fear and dread. In most past cases they were nothing but empty threats.

In late October 2019, Group-IB experts have detected another massive email campaign spreading similar ransom demands sent to banks and financial organizations across the word. The attackers posing as notorious Fancy Bear threatened to launch DDoS attack if a ransom is not paid. In some cases, the attackers did carry out small DDoS attacks to demonstrate their capabilities and validate the threat. The attacks were also confirmed by other security researchers.
According to Group-IB's Threat Intelligence, the campaign by fake Fancy Bear's (aka APT28) was launched in late October, when different banks and financial organizations in Singapore, South Africa, Scandinavian countries and likely in some other locations received the extortion emails. The emails sent from sednit@ctemplar[.]com were written in English and threatened to launch a DDoS attack unless a ransom of 3 BTC is paid by a certain deadline. The attackers warned that the fee would increase by 2 BTC after each day past the deadline.
Some banks that received this email have indeed experienced a demo DDoS attack. The attack vectors included floods using the UDP and ICMP protocols. It is worth noting that the attackers used UDP-port 3283. This is a new vector for DDoS, which was first detected in June 2019. UDP-port 3283 is associated with the Apple Remote Desktop Application (ARD) and its service (ARMS). However, these emails and demo-DDoS attacks did not follow through with cyber attacks.
Not the typical modus operandi for Fancy Bear
The attackers offered the recipients to "perform a Google search for Fancy Bear to have a look at some of their previous work". The use of Fancy Bear name, a state-sponsored threat actor associated with Russia, was clearly an attempt to intimidate the victims. Fancy Bear (also known as APT28, Sednit group, Sofacy, Pawn Storm, Strontium, Tsar Team, TG-4127, Group-4127, TAG_0700, Swallowtail, Iron Twilight, Group 74) has been active since 2004 and is specialized in attacks on government and international organizations all over the world.

It's clear that the infamous Fancy Bear group has nothing to do with this RDoS (ransom denial-of-service) campaign. Their motivation is sabotage and espionage, while those behind these emails are purely motivated by money. This is nothing but a naive attempt of social engineering.