During the past week, there has been a sudden surge in online extortion campaigns, against regular users and security researchers alike.
The most devious of these was a campaign detected by Forcepoint security researcher Roland Dela Paz, and tried to trick users into thinking hackers had gotten their hands on sensitive or sexually explicit images.
Attackers wanted payments of $320 to a Bitcoin address or they would have sent the compromising materials to the victim's friends.
This attempted blackmail message was the subject of a massive spam campaign that took place between August 11 and 18. Dela Paz says attackers sent out extortion emails to over 33,500 victims.
Most of the targets were from Australia and France. The extortion campaign was particularly active in Australia, where it caught the eye of officials at the Australian National University, who issued a safety warning on the topic, alerting students of the emails.
The extortion attempt was obviously fake, says Dela Paz.
"The scale of this campaign suggests that the threat is ultimately empty," the expert explained. "If the actors did indeed possess personal details of the recipients, it seems likely they would have included elements (e.g. name, address, or date of birth) in more targeted threat emails in order to increase their credibility."
Dela Paz warns that the campaign is still ongoing. Users can recognize the blackmail attempts by the following subject line formats:
In addition, during the past week, there were also extortion attempts sent to organizations. A hacker group calling itself ANX-Rans tried to extort a French company.
Another group calling itself CyberTeam also tried to extract a ransom payment of 5 Bitcoin (~$20,000) from Abuse.ch, the website of a prominent Swiss security researcher.
DDoS extortion from CyberTeam against abuse.ch .... what a bunch of idiots! pic.twitter.com/R0gT0M3GsN— abuse.ch (@abuse_ch) August 21, 2017
These DDoS threats in the hope of extracting Bitcoin payments are called DDoS-for-Bitcoin or RDoS (Ransom DDoS) attacks. RDoS attacks have been on the rise since mid-June after a South Korean hosting provider paid a ransom of nearly $1 million after web ransomware encrypted its customer servers.
Ever since then, RDoS groups became extremely active hoping for a similar payday. We've already covered the active groups at the time in an article here.
Since then, the most prominent RDoS campaign that took place was in mid-July when a group using the name of the Anonymous hacker collective tried to extort payments from US companies under the threat of DDoS attacks.
At the time, Bleeping Computer obtained a copy of the ransom email from cyber-security firm Radware, who was investigating the threats.
Radware said that despite posing as Anonymous hackers, this was the same group who tried to obtain ransoms of $315,000 from four South Korean banks (for these RDoS extortions the group posed as Armada Collective, another famous hacking crew).
"This is not an isolated case. This is a coordinated large-scale RDoS spam campaign that appears to be shifting across regions of the world," Radware security researcher Daniel Smith told Bleeping Computer via email at the time.
"All ransom notes received have the same expiration date," he added. "In RDoS spam campaigns like this one the actors threaten multiple victims with a 1Tbps attack on the same day."
The group also claimed it was in control of a Mirai botnet made up of compromised IoT devices and was capable of launching DDoS attacks of 1 Tbps. No such attacks have been observed following the ransom demands on US companies.
In research presented at the USENIX security conference last week, researchers from Cisco, Akamai, Google, and three US universities revealed that despite having a reputation of being able to take down some of the largest online companies around, the most variants of the Mirai botnet were mainly used to target online gaming servers.
Most of these DDoS attacks on gaming servers were also relatively small as multiple botnets broke up IoT devices (DDoS resources) among them.
In addition to the group posing as Anonymous, Radware also reported on multiple RDoS extortion attempts on gaming providers that also took place in July.
"We suggest companies do not pay the ransom," Smith said at the time, a recommendation still valid today, as this encourages more blackmailers to join in.