Email body: There are three email variants sent to the same recipients conveying the same information, except with the email body in plain text, HTML, or as a JPG image attachment.The emailed individuals also work in areas such as communications, external relations, investor relations. Additionally, extortion emails are often sent to email aliases such as help desk, abuse, administrative contacts, or customer service. Recipients: The emails are typically sent to well researched recipients, such as individuals listed as contacts in Border Gateway Protocol (BGP) or Whois information for company networks.Example of current emails being sent by “Fancy Lazarus.”Įach of the campaigns is also characterized by the following elements: The emails claim that the max attack speed will be "2 Tbps.” They also warn about potential damage to the target company’s reputation and loss of internet access at their offices almost certainly to further coerce the victim into complying with their demands.įigure 1. The current iteration, as illustrated in Figure 1, starts with an announcement of the name the group uses currently and an acknowledgement that they are targeting a specific company. They then threaten a DDoS attack in seven days, and, to prove it is not a hoax, mention a "small attack" that will be launched on a specific IP, subnet, or Autonomous System. The campaigns always begin with sensational emails.
In each case the threat actor demanded Bitcoin payment or else a small-scale denial-of-service attack would be launched with a more substantial attack mere days later. Federal Bureau of Investigation (FBI) alerted organizations to a spate of ransom denial-of-service extortion emails from this group. According to the published reports, this group took aim at thousands of organizations from multiple global industry verticals. In mid-to-late August 2020, Akamai and the U.S. Between August 2020 and now, however, they have tried completely different text in the emails. It is interesting that the group is still going back and tweaking the original email, potentially indicating its effectiveness. Variation in email content: In terms of email body content, the specific variant is reminiscent of the original variants from August 2020 with some minor changes and evolutions.This change is likely to account for Bitcoin’s fluctuating value. New price: The extortion emails now have adjusted ransom pricing, lowering it from ransoms as high as ten Bitcoin (BTC) to its current two BTC starting price.New name: The group, who have previously identified themselves as “Fancy Bear”, “Lazarus,” “Lazarus Group,” and “Armada Collective,” among others, is now going by “Fancy Lazarus.” There is no known connection between this group and the APT actors with the same names.companies or those with a global footprint. The actor took over a month-long break from April to May 2021 before returning with new campaigns that include some changes to the group’s tactics, techniques, and procedures: