[BALUG-Admin] I get emails ... <sigh>

Michael Paoli Michael.Paoli@cal.berkeley.edu
Wed Oct 28 05:19:57 UTC 2020 

I get emails ... <sigh>
... seems to be a lot 'o these goin' around:

Threat/extortion emails (mostly all bark no or negligible bite).
Seems they're probably targeting those more probable to fall for it,
e.g. smaller businesses and such that aren't particularly tech savvy,
... not that their targeting is particularly accurate, but maybe at
least what they aim for by the content of their email.

Trimmed and redacted for brevity, etc., both of these from same IP:
------------------------------------------------------------------------
Received: from dedi.coronaxy.com ([185.198.58.92]:38380)
  by balug-sf-lug-v2.balug.org
  for <balug-announce@lists.balug.org>; Tue, 27 Oct 2020 04:41:53 +0000
To: balug-announce@lists.balug.org
Date: Tue, 27 Oct 2020 04:41:34 +0000
From: Patrick Wilson <patrick-wilson@coronaxy.com>
Subject: Your website www.balug.org has been hacked

We are the Cozy Bear and we have chosen www.balug.org as target for  
our next DDoS attack.
Your network will be subject to a DDoS attack starting at 2020  
November 2nd (Monday).
THIS IS NOT A HOAX, and to prove it right now we will start a small  
attack on www.balug.org that will last for 30 minutes.
This means that your website, e-mail and other connected services will  
be unavailable for everyone.
We will refrain from attacking your servers for a small fee.
The current fee is $1200(USD) in bitcoins (BTC). The fee will increase  
by 1000 USD for each day after deadline that passed without payment.
Please send Bitcoin to the following Bitcoin address (cAsE-SeNsitIve):
[REDACTED]
If you decide not to pay, we will start the attack on the indicated  
date and uphold it until you do, there's no counter measure to this,  
you will only end up wasting more money trying to find a solution  
(Cloudflare, Sucuri, Imperva and similar services are useless, because  
we will hit your network directly).
We will completely destroy your reputation and make sure your services  
will remain offline until you pay.
We will also download your database and do as much damage as possible.
Once you have paid we won't start the attack and you will never hear  
from us again.
------------------------------------------------------------------------
 From <elijah-martin@coronaxy.com> Tue Oct 27 17:35:38 2020
Received: from dedi.coronaxy.com ([185.198.58.92]:56414)
  for <balug-announce-owner@lists.balug.org>; Tue, 27 Oct 2020 17:35:38 +0000
To: balug-announce-owner@lists.balug.org
Date: Tue, 27 Oct 2020 17:35:16 +0000
From: Elijah Martin <elijah-martin@coronaxy.com>
Subject: If www.balug.org is important to you, you must read this

We have hacked your website(s) www.balug.org and extracted your databases.
We will systematically go through a series of steps of totally  
damaging your reputation. First your database will be leaked or sold  
to the highest bidder which they will use with whatever their  
intentions are. Next if there are e-mails found they will be e-mailed  
that their information has been sold or leaked and your site  
www.balug.org was at fault thusly damaging your reputation and having  
angry customers/associates with whatever angry customers/associates  
do. Lastly any links that you have indexed in the search engines will  
be de-indexed based off of blackhat techniques that we used in the  
past to de-index our targets.
How do I stop this?
We are willing to refrain from destroying your site's reputation for a  
small fee. The current fee is $1050(USD) in bitcoins (BTC).
Please send the bitcoin to the following Bitcoin address (Copy and  
paste as it is case sensitive):
[REDACTED]
If you decide not to pay, we will start the attack at the indicated  
date and uphold it until you do, there's no counter measure to this,  
you will only end up wasting more money trying to find a solution. We  
will completely destroy your reputation amongst google and your  
customers.
This is not a hoax, do not reply to this email, don't try to reason or  
negotiate, we will not read any replies. Once you have paid we will  
stop what we were doing and you will never hear from us again!
------------------------------------------------------------------------

And yes, simple Internet search to confirm, and many such threats being
emailed about.

Maybe if I get bored and have some time some day, I'll put in an
anti-spam filter to specifically reject these upon attempted delivery
during the SMTP phase ... maybe with reject message/diagnostic
including something along the lines of:
Due to overwhelming request volume, we are no longer able to accept
ransomware/blackmail/threat requests for payment via email.
We do however, still accept such requests via USPS mail.
For prompt attention to your request, please send it via USPS to:
<automatically inserted email address they attempted to> c/o
ref: <automatically inserted reference on failed email attempt>
FBI: ATTN: ransomware/blackmail/threat requests for payment
<address>
USA

Thank you for your cooperation on these matters to help ensure prompt
attention by those relevant and responsible for handling your request.

More information about the BALUG-Admin mailing list