Ransomware vs Ransom DDoS
Ransom DDoS makes you think of a different cyberattack with a similar name: ransomware. Ransomware is a type of attack where the victim is blackmailed to pay a ransom in order to lift an unwanted encryption of their data and units. Ransom in ransom DDoS comes from precisely that blackmailing method and the demands for a pay-out. In the occasion of a ransom DDoS attack, the cybercriminal also requires money in exchange for leaving the victim alone — with the difference being that a DDoS attack is used as a method instead of a malware attack.
The attack is preceded by threats
It all starts with an email. The email is usually sent from an encrypted email service — such as ProtonMail — approximately 15 minutes before an initial DDoS attack begins. In many cases, the targeted organization is unaware that a threat even is received as these emails tend to end up in junk mail, the receiver misses if or he/she is simply out of office. The actual ransom varies depending on the skill and confidence of the attacker but it usually starts at 1 bitcoin ($ 33 500) ranging all the way up to 20 bitcoin ($ 670 000), with figures that increase as payment deadlines are exceeded.
The first attack sets an example
The initial DDoS attack is considered a demonstration of the attacker’s ability and it often occurs already within 15 minutes after the threat. Multiple units are used simultaneously in order to send traffic volumes towards a targeted website or server large enough to immobilize them altogether. These attacks vary in strength. At Baffin Bay Networks, we’ve observed and mitigated attacks ranging from a few Gbps to over 200 Gbps and they usually last for a couple of hours. During these initial attacks, unprotected organizations tend to report performance issues when connecting to virtual private network gateways, email clintents, chat based collaboration platforms (such as Slack or Teams) and other crucial services. The attacks often target infrastructure, and they origin from several attacks vectors. In addition, attackers monitor the effect of the attack and “fine tune” it in real time to cause as much damage as possible.
If the ransom isn’t paid within X number of days, the cybercriminal threatens with a second, larger attack towards key, business-critical assets. There is rarely a way to communicate with the attacker — other than the one used to pay the actual ransom into a bitcoin wallet.
How we relate to ransom DDoS
Ransom DDoS is not new — but we have been able to see an increase of these types of attacks over the last couple of months. The attackers target organizations of any industry, but a particular increase is seen within finance, traveling and e-commerce. One reason behind the increase of ransom DDoS is that many companies lack sufficient protection of their entire IT environment to proactively mitigate an attack, and are therefore forced to pay large amounts of money in bitcoin. It’s simply lucrative for the attacker.
The key for making sure you’re protected against ransom DDoS is to have an intelligent protection that quickly — and with high precision — can separate good and bad traffic, even in very large quantities. The attacks sometimes try to disturb companies' DNS server and can therefore jeopardy their ability to connect to the Internet. DNS servers are sometimes managed outside of the organization and might not be covered by the same level of protection as the rest of your IT environment. As DDoS attacks bring very large volumes of traffic, it's necessary to be able to tell friends from foes and rapidly mitigate any traffic patterns that deviate from normal. This is most easily done with a cloud based Threat Protection Service so that you can assure the same quality of protection no matter where you store your assets.
Stay safe out there!