- The 40+ best Black Friday Sam's Club deals of 2024: Last chance on electronics, TVs, and more
- Best Black Friday gaming PC deals 2024: Last chance on prebuilt PCs, GPUs, monitors, and more
- I found the AirTags that Android users have been waiting for - don't miss the Black Friday sale price
- The 40+ best Black Friday Nintendo Switch deals 2024: Last chance
- The 75+ best Black Friday Amazon deals 2024: Apple, Roborock, Kindle, and more
Defending Against Ransom DDoS Attacks
DDoS attacks have become an annoyance most companies assume they may have to deal with at some point. While frustrating, minor website disruptions from small-scale hacktivist campaigns rarely create substantial business impacts. However, a particularly insidious DDoS spinoff has emerged over the past decade – one aimed at blackmail.
This evolutionary milestone stems from what’s called Ransom DDoS (RDDoS), likely one of the most outrageous cybercrime weapons targeting businesses globally since 2015. With this form of extortion, threat actors aim to swamp an organization’s infrastructure with enormous network traffic floods, knocking critical systems offline unless sizable cryptocurrency ransoms are paid.
The proliferation of botnets has democratized this extortion vector, offering affordable turnkey DDoS-for-hire services on the dark web. Unsurprisingly, this is an escalating threat that’s often used as leverage to pressure companies previously hit by “classic” ransomware and refuse to pay for data decryption.
This article examines the current state of ransom DDoS – how the attacks work, the monetization models fueling these campaigns, and, most importantly, the DDoS protection best practices businesses should employ now to minimize disruption risks.
Understanding Ransom DDoS Attacks
Ransom DDoS attacks typically involve cybercriminals first threatening an organization to pay the sum or be hit with a high-bandwidth raid. Often, the attackers demonstrate their capabilities with a short DDoS “warning attack” before presenting their financial demands via email or chat.
If the ransom isn’t paid by the deadline (often ranging from a few days to over a week), the attackers will flood the company’s infrastructure with a deluge of rogue traffic. This is done using botnets potentially containing hundreds of thousands of compromised computers or consumer IoT devices such as routers, IP cameras, and smart home gadgets.
The malware on these devices allows them to be remotely marshaled into a “zombie army” to carry out devastating DDoS attacks. By leveraging these botnets, ransom DDoS attacks can reach massive scales – often exceeding 1 Terabit per second (Tbps) of junk traffic.
For comparison, most major websites and networks can only handle 10-20 Gbps before slowing down or crashing altogether. Standing resilient against these monster attacks is nearly impossible without specific DDoS mitigation measures in place.
The victim’s websites, networks, and infrastructure are overwhelmed and taken offline for hours, days, or even longer. This can lead to massive revenue losses from transaction systems and online platforms being down.
Peering Into the Business of Ransom DDoS Extortion
Cybercriminal groups increasingly turn to ransom DDoS attacks because they offer a relatively easy way to generate piles of cryptocurrency quickly. The threat of heavy business disruptions forces victims’ hands, and big payouts further incentivize attackers to pursue more targets. This vicious circle and the economics of ransom DDoS make it a lucrative avenue for cybercriminals – relatively low effort for high returns.
Ransom DDoS attacks now operate almost like an entire business. Specialized DDoS botnet malware and booter/stresser services are available for hire as DDoS-as-a-Service, allowing less technically skilled groups to launch their own campaigns. There’s even customer service – some threat actors assign “manager” roles to negotiate payments and terms with victims.
The ransom demands are often shocking, with the median payment surging 500% to a whopping $2 million this year. Of course, demands can go much higher for larger, high-value companies where more disruption equates to bigger payouts.
Building Resilience Against the Ransom DDoS Threat
Fending off ransom DDoS attacks remains extremely difficult due to their continually evolving tactics, techniques, and sheer scale. However, businesses should still take proactive steps to improve overall DDoS attack resiliency. While preventing attacks outright may not be possible, reducing their impact is vital.
Maintain Excess Bandwidth Capacity
Having extra network bandwidth capacity can help absorb DDoS traffic without immediate disruption. This alone is often not enough for the largest multi-Tbps attacks, but it still gives some breathing room to activate other mitigations.
Leverage On-Premise DDoS Mitigation Appliances
Scrubbing solutions can effectively filter and discard DDoS traffic on-premise before it hits core infrastructure, avoiding clogging internet links. Diverting traffic through cloud scrubbers provides similar benefits.
Implement Advanced Cloud DDoS Mitigation
Specialized cloud DDoS prevention services are worth their cost as well. Cloud-scale capacity protects against even the most significant attacks by absorbing and filtering traffic before it reaches the targeted network.
Reduce the Internet-Facing Attack Surface
Disable, remove, and firewall off any unnecessary internet-facing ports, services, servers, devices, and applications. Restrict administrative interfaces. Eliminating attack vectors that criminals may exploit will force them to move on to easier targets.
Harden Public Infrastructure and Apps
Keep operating systems, software, firewalls, web/application servers, and other digital assets fully updated and regularly patched. Fixing vulnerabilities limits the pathways to infect, infiltrate, and leverage your public-facing digital assets for their botnets.
Actively Monitor Traffic and Events
Analyze web server logs, firewall blocking instances, intrusion detection system events, latency shifts, and traffic patterns across on-premise and cloud infrastructure. Unexpected surges or other anomalies might indicate DDoS attack reconnaissance and preparation.
Conduct Incident Response Simulation Exercises
Develop and regularly test DDoS attack emergency response plans so all teams understand their roles. Practice making decisions on activating mitigations, communicating statuses, and recovering the impacted systems. Smooth execution relies on preparation.
Final Word
Ransom DDoS is here to stay, but developing resilience against the threat will allow businesses to weather the storms. Taking a layered, proactive approach is key, and so is a combo of constant education and vigilance as new attack vectors and botnets will inevitably emerge.
DDoS, which often goes hand in hand with ransomware, presents complex, evolving challenges. Your organization can dramatically minimize disruption risks by implementing DDoS resilience best practices, staying informed on emerging threats, and simulating attack response.
While it’s impossible to predict how attackers might leverage new tactics or malware in pursuit of bigger payouts, maintaining vigilance and preparedness reduces the impact. The defenses against ransom DDoS defense become a collaborative effort across the entire organization.
By taking the initiative to learn, strategize, and engineer agility to move quickly against the unexpected, organizations can ultimately withstand whatever comes at them.
About the Author:
David Balaban is a cybersecurity analyst with two decades of track record in malware research and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a solid malware troubleshooting background, with a recent focus on ransomware countermeasures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.