Cyber criminals are using the threat of distributed denial of service (DDoS) attacks to extort money from businesses and governments, as online tools have made so-called ‘ransom DDoS’ attacks much easier to launch. Targets, which have included the New Zealand Stock Exchange and currency exchange provider Travelex, are facing a growing volume of attacks and increasingly exorbitant demands.
“DDoS attacks have traditionally had the purpose of disrupting a target’s network,” explains Stefano De Blasi, threat researcher at US cybersecurity company Digital Shadows. “The use of ransom tactics allows cyber criminals to monetise these operations. Cyber criminals exploit the fear of losing business continuity to capitalise on their attacks and try to extort substantial sums from their victims.”
Ransom DDoS attacks saw a spike in the third quarter of this year, according to recent research by Israeli cybersecurity company Radware. “It is a global campaign with threats reported from organisations in finance, travel and e-commerce in APAC, EMEA and North America.”
Not only are the attacks growing in number, they are growing in severity. The typical ransom demanded by attackers has grown tenfold in the past year from around one bitcoin ($17,330) in 2019 to ten or 20 bitcoin to prevent an attack today, according to Israeli cybersecurity company Radware.
This is a growing threat that technology leaders would be wise to acknowledge. Soon after the DDoS attack on the New Zealand Stock Exchange, which disrupted the organisation’s operation over four days in August, CIO David Godfrey handed in his resignation.
Why are ransom DDoS attacks booming?
The spike in ransom DDoS attacks follows the growing availability of DDoS tools on the dark web. This in turn has been enabled by the proliferation of insecure internet of things devices that can be remotely co-ordinated to execute DDoS attacks.
“We found that the low-entry bar and wide availability of DDoS tools for rent and sale are likely driving these numbers up,” explains De Blasi. “Simultaneously, there’s a massive number of unprotected and unpatched IoT devices out there that can be easily exploited by threat actors and turned into malicious botnets able to conduct denial of service attacks.”
As with many cybersecurity threats, the Covid-19 pandemic has increased both the motivation and opportunities for cyber criminals to attempt ransom DDoS attacks. Political unrest, including the fallout from the 2020 US presidential election, also provides opportunities for cybercriminals, says Alyn Hockey, vice-president of product management at data-loss prevention software provider Clearswift. “There’s a whole raft of different reasons why these attacks may happen.”
Companies in any industry can be targeted, Hockey adds, but those that are seen as ‘capital rich’, such as banks, are especially likely to receive threats.
Beware of Fancy Bear
Those behind ransom DDoS attacks often pose as well-known cybercriminal gangs, or ‘advanced persistent threat’ groups (APTs), to make their demands appear more credible.
Radware’s report reveals that it has intercepted “letters sent to several organisations by actors posing as ‘Fancy Bear’, ‘Armada Collective’ or ‘Lazarus Group’. The letters are sent to a generic email address and do not always immediately reach the right person in the organisation.”
Attackers masquerade as different cybercriminal groups depending on the industry vertical they are targeting, Radware explained. “All the letters Radware received from different organisations across the world indicate that ‘Lazarus Group’ is the sender when the target is a financial organization.” This includes attackers who tried to extort 20 bitcoins from Travelex. “The moniker ‘Fancy Bear’ is leveraged only for technology and manufacturing targets.”
But while the perpetrators of ransom DDoS attacks may not be the high-profile actors they claim to be, this does not mean they are not sophisticated. The New Zealand Stock Exchange attack, for example, was “more sophisticated than other observed DDoS attacks,” according to Radware. “It didn’t merely target public websites but also back-end infrastructure, application programming interface (API) endpoints, and domain name servers (DNS) and managed to force the [Exchange] to halt trading for several hours over four consecutive days.”
Defending against ransom DDoS attacks
Although the volume and severity of ransom DDoS attacks are increasing rapidly, the measures required to defend against them are consistent with general cybersecurity best practice.
“It is fundamental to have a clear contingency plan to locate and protect every sensitive asset potentially exposed,” advises De Blasi. “It’s crucial to keep track of the threat landscape as it allows organisations to monitor attackers’ [tactics, technique and practices’ and recognise fake extortion impersonations.
“Finally, organisations should maintain an active communication channel with internet service and cloud providers as they can dispense vital support during an attack.”