[Cloudflare] Notification about increase in ransom DDoS threats

I received this Email from Cloudflare.

Dear Cloudflare Customer:

We are reaching out because over the last several weeks, there has been an increase in ransom-driven DDoS attack threats. Entities claiming to be Fancy Bear / Cozy Bear / Lazarus are threatening to launch DDoS attacks against organizations’ websites and network infrastructure unless a ransom is paid before a given deadline. Prior to the ransom note, a small DDoS attack is usually launched as a form of demonstration. The demonstration attack is typically a UDP reflection attack using a variety of protocols, lasting roughly 30 minutes in duration (or less).

An excerpt of the ransom note is here:

"We are the Fancy Bear and we have chosen as target for our next DDoS attack.

Your whole network will be subject to a DDoS attack starting at Monday (in 6 days). (This is not a hoax, and to prove it right now we will start a small attack on a few of your IPs that will last for 30 minutes."

The ransom note is typically sent to the common group email aliases of the company—i.e. [email protected], [email protected], [email protected], [email protected], [email protected], etc. In several cases, it has ended up in spam.

You can view a sample of the whole ransom note here. You can also view the FBI report here.

What to do if you receive a threat:

  1. Do not panic and do not pay the ransom: Paying ransom only encourages bad actors—and there’s no guarantee that they won’t attack your network now or later.
  2. Notify local law enforcement: They will also likely request a copy of the ransom letter that you received.

How to prepare now for this threat:

  1. Ensure your network infrastructure is protected: These attacks are targeting both web properties as well as network infrastructure. We have successfully mitigated these attacks for our customers through our core DDoS solution and Magic Transit (for IP infrastructure). If we can be helpful to you and your organization, we stand ready to help.
  2. Enable DDoS alerts: If you are on a Cloudflare paid plan, you can be notified immediately in the case of an attack on your Cloudflare protected Internet-property. Click here to enable DDoS alerts from your dashboard.
  3. Review our support docs: Learn best practices to secure your Cloudflare-enabled site and review how to respond to ransom notes threatening a DDoS attack here.

The Cloudflare Team

Five days ago i mentioned about server load issue, check this thread Sever Load due to Cloudflare IP hit

Is this related to my issue?

Hi @imanulla4, I suspect they’re not related, the post you referenced was about restoring visitor IP. An attack may be the cause of the increased traffic, but if you’ve not received a request for ransom, those attacks are probably not related to the alert we recently sent. That email was to notify our customers of a ransom-driven attack trend we’re seeing and to make you aware of resources on how to respond in the event you are under a ransom-motivated attack.

Adding a link to a great bit of Learning Center content, https://www.cloudflare.com/learning/ddos/ransom-ddos-attack/

I received this notification as well. Trying to read the FBI report referenced in the email, but it takes me to a login screen at cloudflare.okta.com which I can’t access. Is there another link to this report?

This topic was automatically closed after 30 days. New replies are no longer allowed.