Cybersecurity Europe

NETSCOUT Discovers DDoS Extortion Campaign Is Re-Targeting the Finance Industry

NETSCOUT, a provider of application and network performance management products, recently revealed that DDoS attacks hit over 10 Million in 2020. With the Covid-19 pandemic seeing cybercriminals take advantage of the unprecedented disruption to everyday life, the finance industry needs to take note and be prepared for potential attacks. 

Philippe Alcoy currently serves as APAC security technologist for NETSCOUT, where he works across the research, strategy, and presales of DDoS threat detection, investigation, and mitigation solutions for service providers and enterprises in the Asia Pacific region.

Philippe has more than 20 years of experience in the IT security risk and compliance industry, and here discusses the DDoS Extortion campaign that is re-targetting the finance industry.

Phillippe Alcoy, Security Technologies for NETSCOUT

In a progressively digital world, the Covid-19 pandemic has driven societies to be even more reliant on online services, and this has provided the opportunity for cybercriminals to strike. Whilst the total number of DDoS attacks dramatically increased worldwide last year, the methodology of attackers transformed too. Threat actors preyed on their targets with DDoS extortion attacks and, for the first time, NETSCOUT has identified a re-targeting campaign against the financial sector.

Simply put, DDoS attacks are coordinated attempts to disrupt the normal availability and performance of a website or online service by deliberately flooding it with traffic. In 2020, the frequency of DDoS attacks against the financial sector increased significantly: between June and August 2020, the industry observed more attacks in those three months alone than it saw in total from April 2016 to May 2020.

In August 2020, there was clear evidence of a global DDoS extortion campaign taking place against the financial sector. These targets included organisations such as regional banks, stock and currency exchanges and, in some cases, their upstream internet transit providers. DDoS extortion attacks can be distinguished from other types of DDoS attacks as the threat actor will run a demonstration DDoS attack against parts of the organisation’s online infrastructure, before or after sending an email to the organisation demanding for payment in Bitcoin cryptocurrency.

Most of the time, if the extortion demands of the cybercriminals aren’t met, the DDoS attack that is threatened doesn’t take place and the attacker moves on to the next target. However, NETSCOUT has recently observed a major development with regards to these DDoS extortion attacks: it is now seeing the attackers return to earlier targets, particularly in the financial sector. It appears that these organisations are having their critical infrastructure retargeted due to having access to large amounts of data and money.

This retargeting approach is characterised by the cybercriminals sending a new extortion demand, which mentions the details of the previous demand. They then typically launch the latest DDoS attack simultaneously to the new extortion demand being sent. The subjects of these new attacks, which take place weeks or months after the original incident, are the companies that were initially able to avoid giving into the demands of the attacks and successfully prevent the first waves of DDoS attacks from taking down their online services.

Who are the suspected threat actors?

The group behind this ongoing campaign has claimed to be connected to well-known attack groups that are regularly spoken about in industry media and has been linked to groups such as ‘Armada Collective’, ‘Fancy Bear’, and ‘Lazarus Group’. The reason for this is to try and make themselves seem like a credible threat to those companies being targeted by the extortion attacks. Given the fact that the attacker is impersonating these threat groups, NETSCOUT has given the attackers the moniker ‘Lazarus Bear Armada’ (LBA).

One noteworthy element of the extortion campaign being run by this group is that they have clearly conducted thorough research prior to launching the attacks. In previous DDoS extortion campaigns, the attacker has chosen a generic or incorrect email address, meaning that the extortion demands are never seen by the intended targets. However, with the LBA campaign, the attackers appear to have conducted a significant amount of due diligence, identifying inboxes that are likely to be regularly checked by the right individuals within the targeted companies.

How can organisations protect themselves from attacks?

Those targeted organisations that have adequately prepared to defend their online infrastructure have experienced very few issues relating to this ongoing DDoS extortion campaign. Even though the attackers have shown that they’ve undertaken diligent pre-attack reconnaissance, the DDoS attack vectors and targeting methods that they’ve used thus far are well known and can be easily mitigated, through the use of standard DDoS protection.

One DDoS countermeasure that organisations should deploy is to have cloud-based upstream DDoS mitigation capabilities combined with on-premise intelligent DDoS mitigation services – effectively hybrid DDoS protection. This will provide flexibility and enable the DDoS protection vendor to respond quickly in case an organisation is attacked.

Additionally, it is vital that DDoS defences for an organisation’s online infrastructure are deployed in a situationally appropriate method, as not all circumstances and organisations are the same. Testing should also take place semi-regularly to ensure that any changes to an organisation’s infrastructure are included in its DDoS defence strategy and that all online infrastructural components are protected against DDoS attacks. For example, if an organisation has its web servers adequately protected, only for its application servers to be neglected, this still leaves the company vulnerable to attacks.

It is also imperative for organisations to learn about the details of previous high-profile DDoS extortion campaigns. This includes familiarising themselves with the extortion campaign led by the group DD4BC (‘DDos for Bitcoin’), which initially began in 2014 and targeted over 140 companies in industries such as online gaming and financial services over a two-year period.

Though most organisations in the financial sector have the resources in place to successfully protect themselves against DDoS extortion attacks, it is still necessary to take the threat posed by the ongoing DDoS extortion campaign seriously, particularly if an adequate DDoS defence system is not in place. As such, it is wise for those companies in the heavily targeted finance industry to invest in effective DDoS protection.


  • Polly is a journalist, content creator and general opinion holder from North Wales. She has written for a number of publications, usually hovering around the topics of fintech, tech, lifestyle and body positivity.

Related posts

Swedish Fintech Startup P.F.C. Launches a Children’s Spending Card

Mark Walker

UK Government Plans To Recover £1Billion in Criminal Assets Over the Next Decade

Tyler Pathe

FinXP PLUS Launch Facilitates Cross Border Transactions in Over 100 Countries

The Fintech Times