Researchers Warn DDoS Actor “Fancy Lazarus” Is Back in Action

Written by Bill Toulas
Last updated June 23, 2021

Researchers at Proofpoint have confirmed the return of the DDoS actor that goes by the name “Fancy Lazarus” - which, by the way, doesn’t have an apparent connection to the notorious North Korean APT group. By analyzing its activity, the researchers figured that the DDoS group returned to action on May 12, 2021, following a hiatus that lasted several months. “Fancy Lazarus” is now targeting mostly U.S. companies, demanding the payment of a ransom for not having to deal with DDoS-induced downtimes and service disruptions.

The campaign relies upon the distribution of malicious emails which inform the recipient of what’s about to happen. The actors warn the victim that in seven days, they will experience the results of a massive DDoS attack against their online infrastructure. Then, as proof that the mail isn’t a hoax, they launch a “small” attack that deploys approximately 8.5% of their total firepower and has a limited duration of two hours.

Source: Proofpoint

The only way to avoid this trouble is to pay the actors 2 BTC, although the amount fluctuates depending on the BTC value at the time. If the recipient doesn’t respond to this demand, the price goes up to double the amount, and then 1 Bitcoin is added for every extra day that passes after the deadline (seven days). The actors close their message by saying that there’s nothing to negotiate and there’s no point in sending any replies to the email.

In the same message, the actors claim to be the group responsible for causing the lengthy disruption in New Zealand’s stock exchange back in August 2020, but of course, we have no way to confirm that. An FBI alert from that time, though, has pointed the finger at the particular actors and detailed that the group’s activities are similar to other DDoS extortion attempts they first noticed all the way back in 2017. Unfortunately for everyone, the source of the attacks remains unknown, so the actors are still free to continue their operations.

If you happen to receive a threatening message from “Fancy Lazarus,” the advice is to report it to the police and not pay anything to the actors. Even if you do, you should keep in mind that nothing guarantees that they won’t return with additional demands. There’s no ethics or trustworthiness in crooks, so paying them the ransom is only an indication that you’re probably open to succumbing to more demands of this kind.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: