Wed, Jul 14, 2021
Kroll experts have noticed an increase in distributed denial of service (DDoS) attacks by cybercriminals seeking to turn a profit in two distinct incident types. First, many ransomware operators are now threatening and conducting DDoS attacks as an additional pressure tactic during the ransom negotiation process. Second, also known as ransom denial of service (RDoS), attackers threaten DDoS attacks that will take down an organization’s public-facing services unless a ransom is paid.
DDoS attacks are designed to take advantage of bottlenecks within an organization’s systems. If a website or other internet-facing service is flooded with more data, traffic or requests than it can handle, the system may be unable to respond to legitimate requests and ultimately crash. Attackers often use this method as a means of causing confusion within an organization’s systems to prevent regular business activity and distract employees while data is exfiltrated.
Multiple ransomware gangs have added DDoS attacks as another pressure tactic during the ransom negotiation process. Figure 1 highlights a DDoS threat posted to the Avaddon ransomware group’s actor-controlled site. Such activity frequently occurs when negotiation discussions stall as a means for the ransomware gangs to force the victim to resume discussions.
Figure 1: Avaddon DDoS Threats
An RDoS attack adds an extortion element to a standard DDoS attack. In these instances, a cybercriminal may threaten to perform a DDoS attack against an organization unless a ransom is paid. In these scenarios, the actors will perform a “teaser” DDoS attack, sending anywhere from 50–100 gigabytes per second (Gbps) against an IP address associated with the target to prove their ability to perform the attack.
After the initial “teaser” attack, threat actors will often threaten higher-volume attacks that may cause more damage to public-facing services unless the ransom is paid. In order to provide legitimacy to this threat, actors may masquerade as well-known advanced persistent threat (APT) groups. In reality, the groups sending the extortion letters commonly lack the ability to actually carry out the DDoS attacks they threaten. These letters typically come in waves following news reports of major DDoS attacks or the discovery of a new vector for carrying out DDoS attacks. Sometimes, the attacker may not carry out the follow-on attack, even if the target does not pay the ransom demand.
On occasion, an organization may not experience a “teaser” attack at all but rather just receive a letter threatening such activity. Receiving an RDoS extortion threat via letter does not mean that an organization is under threat of an attack. In fact, most legitimate RDoS attackers work under the radar and will not provide any warning before carrying out their sample attack.
Some common features of attempted RDoS attacks identified by Kroll analysts include:
These RDoS attacks can easily take down under-protected public-facing services. However, a DDoS mitigation solution with robust traffic scrubbing capabilities can easily handle attacks of this volume.
In a recent Kroll engagement, a victim was the target of an RDoS attack performed by a group claiming to be an advanced persistent threat (APT) group. The DDoS attack took down the company’s internet-facing assets.
A few employees received a ransom note via email that had supposedly come from the criminals, with instructions on when and how the company could make payments to prevent a future attack from occurring.
The organization reached out to Kroll to help with managing the incident. Kroll analysts took several steps to improve the company’s security posture and protection against DDoS attacks:
The following recommendations, provided by Kroll expert James McLeary, should be taken into consideration to protect against the threat of DDoS attacks:
To adequately protect your organization from a DDoS attack, it is important to implement good cyber hygiene to ensure you’re covered. In the event of an attack, Kroll experts can help respond. For further guidance, contact a Kroll expert at one of our 24x7 cyber incident response hotlines or connect with us through our Contact Us page.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Email Address
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?
Reduce the cost of lost business from a data breach with a sound data breach response plan.