• DDoS
  • Arbor Networks - DDoS Experts

Fancy Lazarus DDoS Extortion Campaign

ASERT Threat Summary

cyber extortion
by Roland Dobbins, Steinthor Bjarnason on

ASERT Threat Summary

Date/Time:  17June2021 1300UTC
Severity: Warning
Distribution: TLP: WHITE
Categories: Availability
Contributors: Jon Belanger, Richard Hummel.

Executive Summary

In May 2021, self-designated threat actor(s) ‘Fancy Lazarus’ began a new campaign of distributed denial-of-service (DDoS) extortion attacks against organizations.  The attacks followed a familiar pattern: After launching demonstration DDoS attacks, Fancy Lazarus then threatened to follow up with a more devastating attack against critical asset unless the victim paid a demanded sum via Bitcoin cryptocurrency. The threat actor behind this campaign appears to be leveraging the success of what we call the Lazarus Bear Armada (LBA) campaign.  The extortion demand verbiage is copied almost verbatim from that of the LBA campaign, although the threat actors have changed the name to ‘Fancy Lazarus’ and decreased the amount of Bitcoin demanded. Unlike the ongoing LBA campaign, the Fancy Lazarus campaign appears less sophisticated, and targets a narrower victim base. It also leverages different attack methodology against their victims. NETSCOUT has yet to observe Fancy Lazarus campaign attacks accomplish their claim of 2 TBps attacks, and thus far they have had little to no impact on customer networks.

Key Findings

  • Actors behind a new DDoS extortion campaign self-dubbed ‘Fancy Lazarus’ leverage the ongoing LBA campaign in name and credibility.
  • The threat actors behind the Fancy Lazarus DDoS extortion campaign have targeted various broadband access and transit Internet Service Providers (ISPs) in the United Kingdom (UK), Ireland, Scandinavia, and western Europe.  Specifically, many of these attacks were launched against authoritative DNS servers. The attack bandwidth upper limit is around 72 Gbps and consists of DNS reflection/amplification attacks, DNS water torture attacks, RST floods attacks, and TCP reflection/amplification attacks.


Beginning in May 2021, a threat actor with the self-assigned designation ‘Fancy Lazarus’ launched a series of DDoS extortion attacks largely directed towards broadband access and transit ISPs located in the UK, Ireland, Scandinavia, and western Europe. These attacks are characterized by the attacker launching a demonstration DDoS attack against authoritative DNS servers operated by targeted organizations, followed by an emailed extortion demand for payment via Bitcoin (cryptocurrency.  

The extortion demands typically state that the attacker has up to 2 TBps of DDoS attack capacity at the ready and threatens follow-up attacks if the extortion payments aren’t transmitted to the attacker within a set period. To date, no follow-up attacks have been observed against organizations that do not comply.

The threat actor responsible for this attack campaign has directly copied the language of publicly posted extortion demand email messages previously sent to targeted organizations by the LBA DDoS extortionist threat actor, changing the self-attribution to ‘Fancy Lazarus’ and reducing the demanded extortion amount. Due to observed differences in levels of pre-attack reconnaissance, attack efficacy, and persistence, it appears that the Fancy Lazarus DDoS attack campaign is the work of a copycat rather than the LBA threat actor.

The primary attack vectors observed in this campaign are DNS reflection/amplification attacks, DNS non-existent record attacks (also known as ‘DNS water torture’ attacks), RST floods, and TCP reflection/amplification attacks.

The maximum attack volumes, or bandwidth, observed over the course of this attack campaign are 72 GBps and 7.3 Mpps, respectively. While the attacker has claimed to have up to 2 TBps of DDoS attack capacity, no attacks approaching this magnitude have yet occurred. 

Pre-attack reconnaissance appears largely limited to the identification of authoritative DNS servers operated by the targeted organization. Recipients chosen to receive the attacker’s extortion demands appear to have been selected based on perusal of the target’s public-facing websites and social media searches. The cited names of targeted organizations included in the body of extortion demands appear to have been copied from WHOIS records associated with CIDR blocks assigned to the target, even when those names do not correspond to the target’s public branding.

While in many cases emailed DDoS extortion demands are never viewed by their intended targets due to poor email address selection on the part of the attacker, in this instance, it appears that the threat actor in question has exercised due diligence in identifying email mailboxes that are likely to be actively monitored by targeted organizations.

Collateral Impact

The collateral impact of these DDoS attacks can be significant for end customers whose authoritative DNS service is provisioned on targeted DNS servers. A successful DDoS attack against DNS servers that are authoritative for a given domain can result in unresolvability for the DNS records of end-customer internet properties, thus rendering them inaccessible to legitimate users.

Mitigating Factors

As is the case with most DDoS attacks, targeted organizations that have adequately prepared in advance to defend their public-facing internet properties and related infrastructure have experienced little or no significant negative impact related this DDoS extortion campaign.

Recommended Actions

Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural and operational Best Current Practices (BCPs) have been implemented, including situationally specific network access policies that only permit internet traffic via required IP protocols and ports. Internet access network traffic to/from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.  
Authoritative DNS services should also be designed, deployed, and operated in a manner consistent with all relevant BCPs.

Upon receipt of any demands for DDoS extortion payments, targeted organizations should immediately engage with their peers/transit ISPs, MSSPs, and situationally appropriate law enforcement organizations. They should ensure that their DDoS defense plans are activated and validated and maintain a vigilant alert posture.

DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to organization’s servers/services/applications are incorporated into its DDoS defense plan. Organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services to ensure maximal responsiveness and flexibility during an attack.

It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack and are included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing web servers were adequately protected but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.

Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks and resources. The relevant NETSCOUT account teams and/or Arbor’s Technical Assistance Center (ATAC) may be consulted with regards to optimal countermeasure selection and employment.

It should be noted that while observed levels of pre-attack reconnaissance, attack efficacy, and persistence do not correspond to those exhibited by the LBA threat actors, adequate preparation and enhanced situational awareness are always key to successfully mitigating DDoS attacks in any context.

Applicable NETSCOUT solutions: Arbor Sightline, Arbor TMS, Arbor AED, Arbor Cloud



ASERT Threat Summary: Fancy Lazarus DDoS Extortion Attack Campaign — June 2021 — v1.0.

Posted In
  • Arbor Networks - DDoS Experts
  • Attacks and DDoS Attacks
Related Posts