Emergency: I got a DDoS ransom note, what should I do?
- Do not pay and do not contact the blackmailers – If you accept the deal with the criminals, you make yourself vulnerable and expose yourself as a lucrative target. This may result in further attacks with more complex attack methods and demands for higher ransoms. In addition, these payments serve to support the extortionists’ business model.
- Check your infrastructure for possible vulnerabilities – Are sensitive business processes protected from being overloaded on all of the relevant network layers?
- Implement suitable protective measures with professional assistance – Even in acute attack scenarios, DDoS attacks can be mitigated in a very short time via an emergency shutdown.
- Report attacks and extortion attempts to the police – Operators of critical infrastructure are also required to file a report with the German Federal Office for Information Security (BSI).
RDoS attacks: a known modus operandi
The modus operandi of DDoS extortionist is by no means new. In the past few years, several large-scale RDoS (Ransom Denial of Service) campaigns have been conducted by cybercriminals. The approach is always the same: Companies receive a blackmail note demanding payment of a ransom in Bitcoin. In the same time frame, an initial DDoS attack is carried out to lend more weight to their demands. If the company fails to make payment on time, another attack is launched. To make their demands for ransom more forceful, the extortion gangs often pose as well-known hacker groups such as Fancy Bear APT28, Armada Collective, or Lazarus Group. The extent to which there are any actual links between the attackers and these internationally operating groups is unknown. The current RDoS campaign in the DACH region is being carried out under the alias “Fancy Lazarus,” a name that refers to two of the most well-known hacker collectives in the world.
These attacks usually employ several attack vectors simultaneously, which are designed for the Network and Transport Layers (Layers 3 & 4) or the Application Layer (Layer 7), depending on the target. The most common attacks on Layer 7 include ICMP flooding, UDP fragmentation, UDP amplification via DNS, NTP, rpcbind, SSDP, ACK flooding, and RST flooding. Meanwhile, HTTP GET, POST, and other flood attacks as well as low and slow attacks are the most common vectors for attacks on Layer 7.
Who do the hackers have in their sights?
Fast and hassle-free emergency assistance in case of attack: Myra Security is ready to help!
Myra DDoS Protection for Applications fully automatically protects websites, DNS, email, and VoIP on Layers 3, 4, and 7. With full traffic visibility, Myra enables intelligent load balancing and site failover with high reliability and minimal response times.
Myra DDoS BGP Protection fully automatically protects against volumetric attacks on Layers 3 and 4. The protective solution is easy to implement and requires no additional hardware or software. Detailed traffic analyses (NetFlow and sFlow) are provided by automatic flow monitoring. The failover of affected networks in case of attack is also fully automated.