Inside DDoS Extortion Threats
If you work in network security, you never want to get a message like this. Unfortunately, more and more security teams are receiving them; one of our clients got this one. And even though it says “don’t worry” right there in the third paragraph, you can be sure they were alarmed.
This explicit threat is part of a significant and disturbing trend in cybercrime: a rising tide of attacks that threaten to paralyze an organization’s digital assets through a cripplingly large DDoS (Distributed Denial of Service) attack unless the victim pays a significant ransom to the crooks.
This note includes the most common hallmarks of this growing cyber threat:
- It cultivates credibility by referring to a recent, widely reported DDoS attack that successfully froze a major institution.
- It raises the stakes (and stokes fears) by suggesting the source of the threat is a notorious and well-known cybercrime group with the chops to pull off the attack.
- It promises a phased attack, starting with a small demonstration DDoS attack to prove the attacker’s seriousness and expertise, to be followed by a massive attack “with no counter measure” to follow.
- It demands payment in cryptocurrency – typically bitcoin worth around $100K to $300K – and promises that payment will end the risk forever, and that the cyber crooks will “respect your reputation” and not publicize the extortion. On the other hand, if the victim doesn’t promptly pay, it promises that the ransom amount will go up.
These kinds of attacks aren’t new. The first threats date back to around 2003, primarily targeting online gaming companies. However, the number and pace of attacks has risen sharply in the last few months and many industries are now targeted. The spike is significant enough to have prompted a flash warning from the FBI. The technique has become so prevalent it has even earned its own acronym: RDDoS (sometimes RDoS) for Ransom Distributed Denial of Service.
Based on insights from our own Security Operations Center as well as industry reporting, here are the most important facts you need to know about these attacks:
- They’re global in scope. The attacks have targeted commercial organizations in North America, Asia and the Pacific, Europe, the Middle East and Africa.
- They span many different industries. The initial wave of RDDoS attacks were primarily aimed at companies and organizations in financial services, but they have since broadened to other verticals including technology, business services, hospitality, travel and retail.
- The attackers are probably not who they claim to be. Recent RDDoS notes have claimed to be from a range of known cybercrime groups, including Fancy Bear, Cozy Bear, the Lazarus Group and the Armada Collective. It’s unclear who they actually are, but one respected publication flatly states that Fancy Bear is not involved.
- At least some of the threats result in actual DDoS attacks. Although the notes have threatened attacks of up to 2 Tb/sec, observed attacks have been considerably smaller, ranging from 20 to 300 Gb/sec. The attacks have also utilized multiple vectors, according to the FBI. They’re nothing to sneeze at, but they are far less intense than threatened.
- In many instances, no attack ever materializes. We don’t yet know why some threats result in actual DDoS efforts and others do not. It’s very possible that copycat threats are coming from multiple actors with varying capabilities. In addition, many companies now have a cloud DDoS protection service that can defend against threatened attacks.
As with all cybercrime, these threats will most likely continue to evolve, not only in the messages that are used in the ransom notes but also in the techniques that are threatened and actually used.
What should you do if you’re attacked? First, don’t panic – and don’t pay. That’s not just our recommendation; that’s the FBI’s recommendation as well. Paying is only likely to land you on a list of companies that capitulate, and may well attract future threats.
Instead, the FBI suggests contacting their nearest field office if your organization is threatened. The information you provide may help prevent future attacks, and could help identify the attackers.
They also recommend using a DDoS mitigation service, such as Neustar UltraDDoS Protect, that can automatically identify and block attacks.
If you are a Neustar UltraDDoS Protect customer, your infrastructure will be protected, even if the extortionists do mount the threatened 2 Tb/sec attack. Our global data scrubbing network has the capacity to handle more than 5 times that volume of attack traffic.
If you have questions or concerns about your capacity to mitigate DDoS attacks of any size, or would simply like to discuss your security concerns with a knowledgeable professional, take a moment to request an email contact from one of our security experts.