The email was reported to KnowBe4 via a number of sources, including the (free) Phish Alert Button. It appears that the Bitcoin address was different in each message, indicating a higher level of automation than normal. This is essentially a variant of the recent sextortion strains that are doing the rounds. Here is a screenshot
This campaign was carried out by the same group of spammers responsible for the recent wave of sextortion scams, two cyber-security firms said on Friday. "Multiple IPs involved in sending these bomb threats also sent various types of sextortion email that we saw in the previous campaign," said Jaeson Schultz of Cisco Talos.
This campaign is likely to be very disruptive, some organizations receiving will have no choice but to treat this as a credible threat and go into lockdown like banks and school districts. This is a developing story, more will undoubtedly follow. Here is the text of one version of the extortion email:
My man carried a bomb (Hexogen) into the building where your company is located. It is constructed under my direction. It can be hidden anywhere because of its small size, it is not able to damage the supporting building structure, but in the case of its detonation you will get many victims.
My mercenary keeps the building under the control. If he notices any unusual behavior or emergency he will blow up the bomb.
I can withdraw my mercenary if you pay. You pay me 20.000 $ in Bitcoin and the bomb will not explode, but don’t try to cheat -I warrant you that I will withdraw my mercenary only after 3 confirmations in blockchain network.
Here is my Bitcoin address : 1GHKDgQX7hqTM7mMmiiUvgihGMHtvNJqTv
You have to solve problems with the transfer by the end of the workday. If you are late with the money explosive will explode.
This is just a business, if you don’t send me the money and the explosive device detonates, other commercial enterprises will transfer me more money, because this isnt a one-time action.
I wont visit this email. I check my Bitcoin wallet every 35 min and after seeing the money I will order my recruited person to get away.
If the explosive device explodes and the authorities notice this letter: We are not terrorists and dont assume any responsibility for explosions in other buildings.
I suggest you send the following to your employees. You're welcome to copy, paste, and/or edit:
The bad guys are getting very threatening with extortion scams. They now send you an email that looks like a bomb threat and they claim there is an explosive device in the building which will detonate unless you pay bitcoin. This threat is being sent to literally millions of people, so the likelihood that it real is very small. However, we cannot take any risks and please treat this threat as follow our organization's security policy, and do not answer or forward this email. Think Before You Click! [OPTIONAL] Click on the Phish Alert Button to delete it from your inbox and at the same time alert IT about this scam.
The spammers behind this campaign stopped sending bomb threats on Friday, most likely realizing that this campaign won't yield any results, especially after the FBI, the police, and the media told everyone to ignore the threats and not pay the ransom demand.
And according to Cisco Talos, no one did. Schultz said that Talos discovered 17 Bitcoin addresses inside the bomb threat extortion emails, but none held any money. "Only two of the addresses have a positive balance, both from transactions received Dec. 13, the day the attacks were distributed," Schultz said. "However, the amounts of each transaction were under $1, so it is evident the victims in this case declined to pay the $20,000 extortion payment price demanded by the attackers."
Now It's Throwing Acid...
But the spammers have not given up. Talos said that as soon as their bomb threat campaign appeared to hit a dead end, the group switched to another one. "The attackers have returned to their empty threats of harming the individual recipient," Schultz said. "This time, they threaten to throw acid on the victim." A copy of an email carrying this latest threat is available below.