A scalpel, not a shotgun: DDoS extortion with increasing precision
SECURITY INSIGHTS | 20 October 2021
The number and intensity of extortion attempts by means of DDoS attacks have been increasing for years. The amount of ransom demands is increasing as well. Those who want to protect themselves from this type of threat effectively need to take the strategy behind these cyber attacks into account.
Cybercriminals use DDoS attacks to overload web applications with artificially generated requests. As soon as the resulting load exceeds the capacities of the underlying web infrastructure, the affected processes inevitably collapse, resulting in costly outages. In cybersecurity, once such a DDoS attack has been linked to a demand for ransom, it is referred to as a Ransom Denial of Service (RDoS) attack.
The costs incurred by cybercrime have been continually rising for years. A recent study by the digital association Bitkom showed that cyber attacks cost the German economy 223 billion euros per year. Nearly a third of these attacks are DDoS attacks. The horrendous amount of damage is due in no small part to the increased focus of attackers on individual sectors of the economy.
DDoS extortionists in particular use great care when choosing their victims. Attractive targets are primarily financially strong customers with critical digital services for which there is no respite when they fail. The perfidious ulterior motive: the victim’s willingness to pay grows the more critical the processes are. That is why more and more companies from the financial sector, the healthcare industry, or from the critical utilities sector are counted among those impacted. Accordingly, Allianz lists cyber incidents as the greatest risk these sectors face.
In addition to precise targeting, the timing of the attacks plays a vital role in the cybercriminals’ strategy. Most attacks take place right before the weekend, late on Friday evening or over the course of Saturday. Equally popular are public holidays and bridge days. IT departments are poorly staffed at these times, and key decision-makers are not directly available. This puts additional pressure on the staff who are present.
The deadlines set in the ransom demands only increase the level of pressure. The companies affected usually get these emails shortly before or concurrently with the first attack. These messages include a demand for the payment of a ransom in the digital currency Bitcoin. Those who do not transfer the amount due within the period set are subject to yet more powerful DDoS attacks by the attackers. In the first wave of attacks, cybercriminals merely want to demonstrate their determination – they mean business and are not making empty threats. The second attack is aimed at crippling the victim’s digital business processes over the longer term. If companies still refuse to pay, more attacks with ever-increasing ransom demands ensue.
The vast majority of cybercriminals (about 90 percent according to the 2021 Verizon Data Breach Investigations Report) primarily pursue monetary interests. RDoS campaigns in particular are designed to generate maximum profit in a short time. Targeting as many companies as possible in the same period of time requires a precise orchestration of available attack resources. With an increasing number of targets, this requires extensive coordination of the attack campaigns. DDoS extortionists are therefore an organized crime group that has come up with a lucrative business model.
To lend more force to their demands for ransom, the extortion gangs often pose as well-known hacker groups such as Fancy Bear APT28, Armada Collective, or Lazarus Group. It is not known to what extent there are actually connections between the attackers and these internationally active groups. Most recently, a major RDoS campaign took place in the German-speaking region under the alias “Fancy Lazarus,” a name making reference to two of the most well-known hacker collectives.
Attacks usually employ several attack vectors simultaneously, which are designed for the infrastructure layers (Layers 3 & 4) or the Application Layer (Layer 7), depending on the target.
They thus target both web applications themselves and the infrastructure behind them. In addition, cyber extortionists often resort to “reflection attacks” in their campaigns. The attacks are carried out using highly amplifying intermediate systems that are only indirectly involved (exploited by the attacker), which respond to the attackers’ short (small) requests with large data packets. To do this, the cybercriminals misuse conventional, completely legal web services and protocols such as DNS, NTP, or TFTP. Such reflection attacks thus increase the power of the attacks many times over while simultaneously ensuring that their origin is obfuscated.
Once adequately protected, companies’ digital processes can even endure volumetric attacks with no downtime. In such situations, cybercriminals often lose interest in the target following the initial attack since attacks on protected companies unnecessarily consume resources. In any case, protected companies are much less likely to be targeted because they do not fit the cybercriminals’ profile for prey. The risk is too high that a failed attack could compromise the underlying attack construct of botnets and corrupted servers. Cybercriminal tools usually have a finite shelf life. International investigative authorities are regularly able to break up far-flung botnets.
On balance, preventively protected companies benefit in several ways: expensive disruptions due to DDoS attacks are avoided and, at the same time, the threat level of the organization is permanently lowered because it becomes a less appealing target for attackers. The only answer to the intensified threat situation is preventive protection for the operational business.
The challenge in developing preventive protection measures lies in the precise definition of individual needs. Every company, every IT department, and every project is digitized to a different extent and has different priorities in terms of protection requirements. These focal points must be addressed in a targeted manner. Accomplishing this goal in the best way possible requires strong partners. Transformation to the new normal is characterized by digital ecosystems and partnerships. In the long run, no player of any size is capable of mastering all of these challenges on its own. By outsourcing IT security to specialists, security can be raised to a level that is difficult to accomplish in-house.
Myra DDoS Website Protection protects web applications on Layer 7 fully automatically. With full traffic visibility, Myra Security enables intelligent load balancing and site failover with high reliability and minimal response times.
Myra DDoS BGP Protection automatically protects against volumetric attacks on Layers 3 and 4. Detailed traffic analyses (NetFlow and sFlow) are provided by automatic flow monitoring. The failover of affected networks in case of an attack is also fully automated.