RDoS: adding the Ransom element to DoS

RDoS: adding the Ransom element to DoS | Read White Blue Ocean Blog

What is RdoS?

In Ransom Denial of Service attacks, cybercriminals send an email to the organisations they wish to target threatening to launch destructive DoS or DDoS attacks, in order to degrade networks and block access to systems, if a ransom is not paid. To make the threat more credible, cybercriminals typically launch a limited attack prior to the payment deadline, in order to pressure organisations into paying the ransom to prevent more destructive attacks from occurring. If the target fails to pay the ransom within the given deadline, cybercriminals typically launch DoS attacks that can last hours, days or even weeks, effectively impairing organisations’ productivity and ability to conduct business, in addition to causing serious reputational damage to the institution. In most cases, the ransom amount increases once the attack starts, and proceeds to increase every day that the victim refuses to pay. It has been observed that threat actors will often pretend to be infamous hacker groups that have close ties to, or are sponsored by, nation-states. The tactic of posing as instantly recognisable cyber group allows cybercriminals to instil more fear and pressure in the target organisation, increasing the chance that a ransom payment will be made. The preferred category of target for this type of attack are organisations that will incur in significant financial losses should their resources and systems be unavailable for even a short period of time.


Global RDoS campaigns

RDoS attacks are not a new weapon for cybercriminals, as this type of malicious activity has been observed since 2016, with two campaigns witnessed in 2017 and 2019. One of the most prolific RDoS campaigns commenced in August 2020, when cybercriminals were observed targeting organisations across the world, particularly in the financial, e-commerce, retail and travel sectors. The campaign involved a threat actor posing as different Advanced Persistent Threat actors including Fancy Bear, the Armada Collective, Lazarus Group and Cozy Bear, sending emails warning institutions that their network will suffer a DDoS attack, should a ransom not be paid within a week. The letter asked the targets for 10 to 20 Bitcoins (equivalent to $113,000-230,000 in 2020) to prevent the attack from occurring, and an additional 10 Bitcoin each day that the ransom is not paid once the attack commences. The spate of attacks led the FBI to issue an alert, labelling the campaign as a serious threat. According to the FBI however, a number of institutions that refused to pay the ransom were not targeted by attacks after the payment deadline. New Zealand’s Stock Exchange did suffer a DDoS attack after not paying the ransom, which impacted the institution’s network connectivity resulting in the halting of the cash markets trading. The ransom email sent to New Zealand’s Stock Exchange claimed to be from the infamous hacker group Fancy Bear. The 2020 campaign ransom note was revealed as being nearly identical to the ransom note used during the 2017 and 2019 campaigns, suggesting the same threat actor was possibly behind all three campaigns.

Following the high levels of activity witnessed in August 2020, the RDoS campaign slowed down in September, only to pick up the pace again in October 2020. One of the victims in October was the British foreign exchange company Travelex, which was threatened with a DDoS attack, unless it paid 20 BTC to the threat actor posing as the Lazarus Group. After receiving the extortion note, Travelex suffered a volumetric attack on a custom port of four IP addresses serving the company’s subdomain.

In 2021, the threat actor reappeared on the cybercrime scene, after disappearing for over a year, using the name Fancy Lazarus, a combination of the two popular cyber group names Fancy Bear and Lazarus. Similarly, to the previous campaigns, the threat actor sent ominous emails to its targets, many of which were said to be institutions that did not pay the ransom in previous campaigns. The targeted organisation were mainly US-based or global institutions, operating in the energy, financial, insurance, manufacturing, public utilities and retail sector. The ransom note sent to these targets shared the same body content as notes from previous campaigns, with the main notable difference being the price of the ransom. As a matter of fact, from the initial 10-20 BTC demanded in 2020, the threat actor was seen to have adjusted the price to account for the fluctuating value of Bitcoin, asking for 2 BTC in 2021 as a starting ransom ($75,000 in 2021). In October 2021, the UK telecommunications sectors disclosed that a number of its VoIP members had been hit by a string of RDoS attacks. Providers, including Voipfone, VoIP, Unlimited and VoIP.ms, claimed to have received the ransom notes from the extortionist group, with some institutions experiencing DDoS attacks following the threat. These attacks resulted in disruption to the companies’ infrastructure and to the telephone and messaging services for several days; in particular, the critical infrastructure of UK entities was impacted including the police, the NHS and public services. Similarly, Bandwidth.com, an upstream provider for VoIP companies, was targeted by the extortion campaign and incurred losses between $9 and 12 million because of service downtime, following the DDoS attack from the threat group.

In October 2021, email providers also attracted the attention of RDoS attackers. Over nine email service providers, including Runbox, Posteo, Fastmail, TheXYZ, Guerilla Mail, Mailfence, Kolab Now and RiseUp came under DDoS fire after receiving a ransom note giving them 3 days to pay 0.06 BTC (around $4,000). In this case the ransom notes were signed by a different threat actor, going by the name Cursed Patriarch.


To pay or not to pay?

Both FBI and cybersecurity firms advised targeted organisations not to pay the ransom, especially since there is no assurance the threat group will honour the terms set by themselves, and not launch an attack. As pointed out by the FBI, paying the ransom might also lead other extortionist groups to threaten the same targets hoping to receive a ransom payment as well. In addition, paying cybercriminals only funds their future malicious activities, allowing them to refine their capabilities and engage in even more destructive campaigns.


RDoS attacks are expected to grow as a threat and to continue impacting organisations for the foreseeable future. This is the case as even less experienced and less technologically capable threat actors can launch profitable attacks, without the need to gain privileged access like in the case of more complex attack, such as ransomware attacks.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference List














The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Related news

Ukraine donation scams | White Blue Ocean Blog
Watch out for fake charities asking for donation to support Ukraine

Amid Russia’s invasion of Ukraine, there have been several warnings on spikes in fraudulent activity carried out by criminals seeking to capitalise on the Ukrainian humanitarian crisis. Numerous reports from across the world show that fraudster are currently tricking people into making donations to fake charities, in order to then pocket the money that was meant to help Ukrainian refugees. It is thought that the amount of money siphoned by fraudsters since the beginning of Russia’s invasion could be of millions of dollars.

Read more
The dangers of VPN credential leaks | White Blue Ocean
The dangers of VPN credential leaks

The increased reliance on VPNs made the latter an attractive target to cybercriminals. In particular, threat actors began exploiting one of the known weakest links in the chain: users’ passwords.

Read more
SIAE Data Breach

News of the latest cyberattack comes from Italy, where on the afternoon of the 20th October it was disclosed that SIAE, the Italian Society of Authors and Publishers, was targeted by a ransomware attack. SIAE, which was founded in 1882, is the Italian copyright collecting agency for artists in different areas of the entertainment industry, including television, music, theatre, visual arts and literature, and aims to guarantee that artists receive the right remuneration for their work.

Read more
Ransomware attack results in the shutdown of the Colonial Pipeline

The cyberattack that at the beginning of May targeted and caused the shutdown of the Colonial Pipeline, the largest fuel pipeline in the US, was a powerful example of the threat posed by the rising number of ransomware attacks, and the detrimental effect they can have not only on businesses but on national critical infrastructure.

Read more
Twitter data breach: exposed the data of 5.4 million accounts | White Blue Ocean
Twitter data breach: exposed the data of 5.4 million accounts

In late July 2022, Twitter confirmed that it had suffered a data breach, after a threat actor appeared in a popular underground forum selling the data of 5.4 million Twitter users. Read more

Read more


Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!