Dissecting Ransom DDoS Attacks

Extortion is in vogue with online perpetrators these days, and it’s constantly ramping up for a number of reasons. It pays off well due to little investment and effort required to engage in blackmail on the Internet. The emergence of DDoS-for-hire, Ransomware-as-a-Service (RaaS) and other readily available cybercrime kits allows threat actors to launch massive extortion campaigns on the cheap and easily. Furthermore, the rise of unregulated cryptocurrencies like Bitcoin has added an anonymity component to the equation, allowing extortionists to hide their identity and stay on the loose.

While the bar is low for attackers, the stakes are high for victims who run the risk of losing control of their business or private life. That’s the nontrivial discrepancy the security industry has yet to tackle.

Ransom DDoS explained

The extortion segment of cybercrime is heterogeneous and encompasses several different blackmail techniques. The concept of ransom DDoS, or RDoS, stands out from the crowd. Also referred to as DDoS for Bitcoin, it denotes an attack vector where crooks demand a ransom or else they will supposedly deploy a distributed denial-of-service onslaught against an organization’s IT infrastructure.

The incursion typically commences with an email threatening to render a company’s online operations unavailable by flooding their servers with a volume of traffic they cannot handle. To prove they aren’t bluffing – which is quite often the case in these scenarios – the felons may first launch a smaller network stress attack that will knock the target’s website offline for a while or cause a similar temporary outage. A specific deadline for submitting the ransom is an inalienable hallmark of the average RDoS assault.

Albeit this modus operandi seems straightforward at first sight, the criminals’ actual motivation may be more intricate than it appears. Ransom DDoS might well turn out to be a clever maneuver aimed at distracting IT executives from other bad things going on behind the scenes. For instance, it makes a perfect camouflage for a server breach. Sometimes RDoS is pulled off to perform reconnaissance and thus spot weak links in the security posture of an organization for a future network penetration or crypto ransomware attack. Furthermore, a lot of RDoS assault attempts are empty threats without ensuing attacks. One way or another, the ne’er-do-wells’ ultimate goal is financial gain.

The profitability of online extortion has spawned multiple groups of threat actors specializing in this nefarious activity. These include Armada Collective, DD4BC, New World Hackers, CyberTeam, Anonymous, RedDoor, Lizard Squad, Borya Collective, Kadyrovtsy, ezBTC, XMR Squad, FancyBear, Meridian Collective, zzb00t, Stealth Ravens, Collective Amadeus, and Xball Team. At least 6 new groups emerged on the e-extortion arena in 2017, which aligns with a considerable growth of RDoS over the past few months. Retrospectively, a number of newsmaking incidents have demonstrated the whole diversity of cybercriminals’ portfolio when it comes to DDoS for Bitcoin.

ProtonMail case – the wakeup call

The above-mentioned Armada Collective crew gained notoriety for a well-orchestrated assault against ProtonMail, an encrypted email provider headquartered in Switzerland. The attack took root in early November 2015.

Sticking with a classic extortion scenario, the crooks first sent a blackmail email demanding Bitcoin for preventing a DDoS attack. Then, there was a test onslaught that took the company’s services offline for some 15 minutes. About 12 hours later, Armada Collective hackers hit ProtonMail’s datacenter and upstream providers with a 100Gbps DDoS attack. This incursion took down the company’s services and also caused serious collateral damage, affecting hundreds of other enterprise customers running operations with the same ISP. Confronted with a great deal of third-party pressure, ProtonMail ended up submitting a ransom of 15 Bitcoin, which was worth about $6,000 at the time. The attack didn’t stop, though, which proves that criminals hardly ever carry through with their promises.

RDoS aftermath of the Nayana ransomware incident

Another story shows ties between ransom DDoS and extortion through crypto ransomware. In late June 2017, a South Korean web hosting provider called Nayana fell prey to the Erebus Linux ransomware that crippled data on the company’s servers. This malicious code affected a total of 153 servers storing data of more than 3,000 customers. Nayana executives chose to follow the attackers’ demands and paid $1 million worth of Bitcoin to move on with their business.

The flip side of this case is that it demonstrated to crooks how financially submissive local firms can be. The attack was shortly followed by a wave of RDoS onslaughts against South Korean and Chinese companies. Most of the targets were large banks, including KB Kookmin Bank, KEB Hana Bank, and Shinhan Bank. The extortionists claiming to be from Armada Collective instructed the financial institutions to submit ransoms of about $315,000 to avert large-scale DDoS attacks.

Fortunately, the damage was restricted to sample SYN and NTP floods with low bandwidth of 5-20Gbps and never morphed into real persistent attacks. There have been no official reports of payments made by the targets. Researchers argue this campaign was operated by impostors passing themselves off as Armada Collective to instill more fear.

The whole fuss about the Nayana attack and subsequent attempts to rip off Asian companies has encouraged other extortionist groups to step in. In July 2017, a crew claiming to be Anonymous started sending out threat letters to large financial institutions in the United States. The criminals demanded 100 Bitcoin (about $460,000) to be paid within a 7-day deadline otherwise the target network would undergo a heavy 1Tbps DDoS attack using an IoT botnet dubbed Mirai.

One of the latest incidents was an attempt to extort 5 Bitcoin (about $23,000) from Swiss security researcher who runs Abuse.ch website. The crooks calling themselves the CyberTeam threatened to take the site down for 2 weeks if their demands weren’t met.

Final thoughts

DDoS is no longer the prerogative of hacktivists motivated by vengeance or fun. It has evolved into a powerful extortion instrument over the years. An important thing to bear in mind is that the ransom DDoS threat landscape is full of impostors who are all bark but no bite. It doesn’t take a rocket scientist to send an email with threats, so there’s room for a great deal of bluff in this segment of cybercrime.

And yet, the menace is real, it’s steadily growing, and it can do a lot of damage. If your company doesn’t have an emergency response plan yet, it’s about time to create one. Another important lesson learned from previous RDoS attacks is that paying the ransom is often a wrong choice that doesn’t necessarily stop the incursion and instead encourages the perpetrators to stick with it.

Author: David Balaban