Editor’s Note: This post is in reference to the DDOS attack on BetOnline which started on October 16, 2020. This general message was sent out to Cloudflare users (by Cloudflare) the same day as the attack. BetOnline is a Cloudflare customer.

“Dear Cloudflare Customer:

We are reaching out because over the last several weeks, there has been an increase in ransom-driven DDoS attack threats. Entities claiming to be Fancy Bear / Cozy Bear / Lazarus are threatening to launch DDoS attacks against organizations’ websites and network infrastructure unless a ransom is paid before a given deadline. Prior to the ransom note, a small DDoS attack is usually launched as a form of demonstration. The demonstration attack is typically a UDP reflection attack using a variety of protocols, lasting roughly 30 minutes in duration (or less).

An excerpt of the ransom note is here:

“We are the Fancy Bear and we have chosen <company name> as target for our next DDoS attack.

Your whole network will be subject to a DDoS attack starting at Monday (in 6 days). (This is not a hoax, and to prove it right now we will start a small attack on a few of your IPs that will last for 30 minutes.”

The ransom note is typically sent to the common group email aliases of the company—i.e. noc@, support@, help@, legal@, abuse@, etc. In several cases, it has ended up in spam.”