The old-new cyber threat: Ransom DDoS - opinion

The number of ransomware attacks grew by more than 150% - what created this increase and what are the best practices in case of such an attack?

A hacker is being depicted in this illustrative photo  (photo credit: Courtesy)
A hacker is being depicted in this illustrative photo
(photo credit: Courtesy)

The global pandemic likely contributed to the phenomenal increase in DDoS extortion attacks. The number of ransomware attacks grew by more than 150%, and in the year 2021 alone, six ransomware groups compromised 292 organizations

DDoS-based ransomware attacks, or as they are commonly called, RDDoS, are a combination of two major trends in cyber.

The first trend is cyber ransom. It’s the threat of a cyber criminal to launch a cyber-attack on networks, damaging IT and digital resources unless paid handsomely. 

The second trend are DDoS attacks (Distributed Denial of Service). These attacks evolved from attacks causing minor damages into substantial threats which easily damage and disrupt business continuity and national critical infrastructure. 

Hackers and cyber criminals have used ransomware methods for a long time. However, these were usually identified with “classic” cyber attacks such as malware intrusion to the organization or Zero-day attacks. Using DDoS as the offensive method has gained significant momentum in the last few years , mainly because of the  characteristics and benefits of using this form of action. 

 A 3D printed model of man working on a computer are seen in front of displayed binary code and words ''Cyber atack'' in this illustration taken, July 5, 2021. (credit: REUTERS/DADO RUVIC/ILLUSTRATION) A 3D printed model of man working on a computer are seen in front of displayed binary code and words ''Cyber atack'' in this illustration taken, July 5, 2021. (credit: REUTERS/DADO RUVIC/ILLUSTRATION)

To launch a DDOS attack, high traffic loads need to be sent to a live network environment. Today botnets are commonly used to launch them. Cyber criminals manage to take sites offline and stop all business continuity anywhere from a couple of hours to days, while demanding large ransom payments to stop the attacks. Types DDoS attacks include volumetric, protocol-based, and application-based. Many are launched by botnets through compromised computers, mobiles, and more recently many unsecure IoT devices.

Criminals launch DDoS attacks that are, create high traffic loads on the network capacity of the site or enterprise servers using large volumes of botnet.

DDoS has become a major attack tool mainly because the simplicity of this kind of attack. There is no need to be a technological wiz or have any amazing skills to launch a DDoS attack. Compared to other cyber-attacks such as ransomware and fishing which require time, expertise and careful planning, DDoS can and is easily launched. It is also an attack that its source is very hard to locate and to identify the attackers. 

Another reason for its popularity is the low cost of launching a DDoS attack. One can simply log on to the Darknet and purchase an attack for under 100 dollars.   

Last but not least, cyber criminals have realized that they can effortlessly take advantage of the fact that existing defence systems (ie mitigation solutions) are not adapted and configured to the continuous system-wide changes, such as adding new IPs, software updates, settings and applications. As the protection is not reconfigured continuously it is unable to  detect new vulnerabilities in the system. In today’s reality, even the companies with the best of breed mitigation systems installed don’t have the ability to see the big picture and realize in real time  where new vulnerabilities are created and in what danger they are of a damaging DDoS attack.  

Show me the money 

Going back to RDDoS, the pattern of action is quite constant. Criminals launch DDoS attacks that are, create high traffic loads on the network capacity of the site or enterprise servers using large volumes of botnet. Thus, in fact, they manage to cause disruptions to normal operations, such as providing digital services to customers or the ability of employees to connect to corporate systems. Extortion threats are usually sent a demand letter that follows an initial template format. The letter threatens DDoS attack users unless they meet the payment requirements, usually in Bitcoin. 

Should we pay DDoS attackers?

Law officers advise targeted companies not to pay the ransom because it encourages others to join the crime, making the ransom-paying businesses more lucrative. Extortion gangs promise to stay away from the targets once they meet the ransom demands; however, there is no guarantee that criminals would not return for more money. Taking advantage of the bitcoin price-rise, DDoS attackers, in one of their ransom emails, continued increasing the ransom amount by ten bitcoins each day until the victim paid the amount. By paying the ransom, companies do not save the business but make themselves more vulnerable to further damaage.

How to act in case of RDDoS attack?

In the reality with over 30,000 DDoS attacks reported per day, its only a matter of time before  almost every major organization will experience an RDDoS attack. If attacked stay calm and don’t respond to the attackers’ claims immediately. Immediate payment positions the company as a high success target and increases the potential for future attacks. It is known that groups of attackers communicate with each other and it is not inconceivable that they will share information about organizations that are more subject to extortion. Moreover, there is no guarantee that they will leave quietly and also not just ask for more money after committing the act.

Report the threat immediately to the relevant authorities such as the National Cyber Authority. Any information provided helps identify the attackers and builds a case against known groups. 

How to prevent DDoS attacks

To not find themselves in a compromising RDDoS situation , companies need to initiate a preventive DDoS policy rather than solely rely on their mitigation solution. CISO’s must ask themselves how prepared the organization is , and is it able to detect  an attack and avoid damage ? 

The only way to prevent a damaging RDDoS attack is to continually identify areas of weakness (vulnerabilities) and configure your DDoS protection to automatically close them. 

The author is the Founder and CEO of MazeBolt, which provides a unique technological solution for automatic detection, identifying and mitigating DDoS vulnerabilities