05 Dec

Recently, on Threat Intelligence collected some information about ransom denial-of-service (Ransom denial-of-service) attacks, the attacker asked for ransom for the victims to not be attack.

Those attackers extorted money from bullies by sending emails threatening the victims. Most attackers take the group's name  Fancy Bear to take the reputation of this group to threaten the victims with fear. Attackers posing as the infamous Fancy Bear threatened to launch a DDoS attack if the ransom was not paid. In some cases, attackers have made small DDoS attacks to prove their capabilities and validate threats. The attacks are also confirmed by other security researchers.

In the same phase, CMC Cyber Security received support requests from an organization when they received the same threatening email


Some organizations that received this threat email also had a demo DDoS attack on their servers.

Vector attack (floods) uses protocols UDP and ICMP , especially the attacker was using UDP / 3283, this is a newly discovered attack vector on 06/2019.

Port UDP / 3283 is used by the protocol Apple Remote Desktop Application (ARD) and ARMS service.

Fancy Bear, also known as APT28 (Sednit group, Sofacy, Pawn Storm, Strontium, Tsar Team, TG-4127, Group-4127, TAG_0700, Swallowtail, Iron Twilight, Group 74) has been operating since 2004, Fancy Bear is an organization hackers specialize in attacking large organizations and governments with APT campaigns.

Can confirm is the group Fancy Bear has nothing to do with ransom denial-of-service (RDO) campaigns, their goal is mostly to crack and spy, while their target is to spend money on something Fancy Bear sponsored, just a bit of a threat to using social engineering.

The source ip is used by the attacker to use random for UDP Flood during the attack RDoS

CMC Cyber Security will only be partially public, if you want more please contact the details.

There are many methods to mitigate this type of DDOS attacks and it is not too difficult to implement. We will continue to apdate the specific details as soon as possible.