A cybercrime group, which is known for masquerading as various APT groups, is active again with targeted attacks on U.S. companies. It is a DDoS extortion group, and this time, it came back with similar threats as before.

What's new?

According to Proofpoint, Fancy Lazarus has been sending threatening and targeted emails about Ransom DDoS (RDDoS) attacks by multiple organizations. Previously, the group was active in a major campaign spotted in October 2020.
  • Most of the targeted organizations in the recent attacks are found to be operating in multiple sectors such as energy, insurance, financial, public utilities, retail, and manufacturing.
  • The group is demanding a starting ransom of 2 BTC (at present evaluated at $75,000) to avoid a DDoS attack.
  • The extortion price doubles to 4 BTC after the specific deadline and increases by 1BTC every single day after that. In addition, most of these targets are found to be based in the U.S.
  • It’s hard to make a definitive connection, however, the timing of Fancy Lazarus campaigns is similar to high-profile ransomware attacks that happened in the past six months in the same industries.

The RDDoS attack

The attackers threaten the victim about a DDoS attack in seven days if the latter doesn’t pay up, and warns of potential damage to reputation. The group threatens to launch a small DDoS attack with an attack speed of 2Tbps.
  • The extortion emails are sent in plain text, HTML-based, or a letter in a JPG image, likely to avoid detection. Additionally, such emails are often sent to the help desk, administrative contacts, or customer service.
  • These emails are sent to well-researched recipients, who are listed as contacts in BGP, Whois information, or working in external relations, communications, and investor relations domains.


It is not possible to know the success rate of the recent Fancy Lazarus campaigns, however, even a low success rate is a worthwhile tactic. In addition, the RDDoS attacks are not a recent development and are becoming more popular due to the mainstream use of cryptocurrencies. Therefore, organizations are recommended to take proactive measures to stay protected.

Cyware Publisher