Ransom attacks dominate cybercrime headlines. May’s Colonial Pipeline attack reduced US east coast fuel supply by 45 percent, resolved only by a $4.4 million ransom payment. In the weeks that followed, President Joe Biden even went as far as calling on Vladimir Putin to move against ransomware groups operating from Russia.
Unsurprisingly, these incidents have sparked a number of high-profile debates around cybercrime payments, with the Director of the FBI, the US Attorney General and the White House warning firms against paying cyber-related ransoms. Despite this, new research from the Neustar International Security Council (NISC) found that 60 percent of businesses would consider paying in the event of an attack, with 1 in 5 potentially willing to spend more 20 percent or more of their annual revenue.
But it’s not just ransomware. DDoS extortion attacks are also rising in frequency and sophistication. Just last month, a well-known threat group, Fancy Lazarus, returned with a new ransom-related DDoS campaign targeting multiple sectors. And while ransom-DDoS (RDDoS) is not a new phenomenon, their targets and ambitions are.
Attackers are now aiming at a wide variety of organizations, spanning financial services, governments, telecoms and beyond – vital infrastructure providers for our day-to-day lives. An INTERPOL assessment of cybercrime throughout the pandemic has shown “a significant target shift from individuals and small businesses to major corporations, governments, and critical infrastructure,” and was further validated by warnings from the Cybersecurity & Infrastructure Security Agency (CISA).
Reasons behind the rise
There are two main reasons for the growth in RDDoS attacks. Firstly, adopting DDoS as a ransom vector, as opposed to using malware, makes carrying out such attacks much easier. Inserting malware or ransomware into organizations takes time and careful planning. Launching a DDoS attack, by comparison, has become relatively simple and has the added benefit of being harder to trace back to its origin. Which ladders up to the second reason:
It is easy money. Not only is the technology of an RDDoS attack more straightforward, clients that receive extortion threats are typically sent a demand letter that follows a rudimentary template format. In the letter, users are threatened with a DDoS attack unless the demands for payment, usually in Bitcoin, are met. The attackers routinely send sample attacks the next day and threaten a high volume—up to 2Tbps—of attack traffic if the ransom is not paid. With a potential 60 percent success rate and a simple means to do so, it is no wonder RDDoS is on the rise.
Fortunately, observed attacks have been considerably smaller than the threatened 2Tbps, ranging from 20 to 300 Gb per second – which points toward smaller actors claiming to be these larger organizations as intimidation tactics. And while smaller attacks may make remediation less challenging, as always, prevention and preparedness is far greater than a cure.
Preparing against RDDoS
The first step is always assessing your current risk. Identify all your online assets and where they reside – from the data center to the cloud – and consider what needs protecting to ensure business continuity. It might not be everything. During this stage, you should also look at particularly high-value assets or assets that share infrastructure with one another.
Next, gauge the strength and extent of solutions needed. The breadth of assets you need to protect, your tolerance for downtime and the IT resources available, dictate this decision. If your assets are not extensive, DDoS protection via your ISP or cloud service provider could be an option. For larger and more complex networks, a DDoS mitigation service or a fully managed cloud DDoS platform is a more advisable choice.
You then need to form and implement mitigation strategies. Their requirements should map directly to your network configuration and operational needs. Taking an always-on approach, for example, means traffic is routed through your DDoS mitigation provider’s platform, whereas border gateway protocol (BGP) or DNS swings divert traffic when mitigation is needed.
Lastly, but importantly, keep your security provider in the know. An effective DDoS protection strategy is not something you simply set- and forget. Devices and configurations change constantly. Your DDoS mitigation plan has to keep in step. Conduct scheduled service reviews with your provider(s) and key IT team members at least every quarter. If your network and applications change even more frequently your test schedule needs to reflect this.
Do not pay.
With over 30,000 reported DDoS attacks a day, some organizations will end up on the receiving end of an RDDoS threat. The number one rule is: remain calm and do not pay. Paying immediately lists your organization as a high-success rate target. We know that cybercriminals communicate between groups so paying up has the potential to invite future attacks, even if these specific attackers have promised to leave you alone in the aftermath. It makes business sense for them to target you. Furthermore, these are criminals you are dealing with – there is no guarantee that they will leave you alone nor simply ask for more money after the fact.
The first step is to report the threat immediately to the relevant authorities. Any and all information provided helps toward identifying perpetrators and building a case file against known groups.
Next, if you don’t work with one already, approach a DDoS security provider to arrange an emergency mitigation response as soon as possible. Alternatively, if you already work with a third-party DDoS protection vendor, share all details. In many instances extortionists do not follow through, but preparing for the worst is vital. Your DDoS partner will be better able to help you do that if they are forewarned. When the day comes that payment is inevitably not met, ensure you’ve asked the provider to put your assets under pre-emptive mitigation. Even though threatened attacks don’t always occur, you want to be ready if one does.
Lastly, keep communicating. Establish an open channel between operations teams and providers for the entire day to guarantee necessary access and ensure effective responses.
Even if the appointed day passes without an attack, it’s a good idea to remain vigilant for a few days afterwards, just to be safe.
With the right preparation, strategies, and protection providers in place, your business can and will successfully weather RDDoS attacks. It comes down to convincing your CSO / CIO that the risk is evident and proportional prevention investments and strategies must be put in place.
Rodney Joffe, SVP and Fellow, Neustar
