It’s no doubt that the COVID-19 pandemic has caused an enormous amount of disruption throughout the world. Economists claim that the pandemic has led to an economic shock which is three times worse than the 2008 financial crisis. Meanwhile, lockdown restrictions have forced organisations to adopt work-from-home policies, driving even more traffic online in our already digital world.
As a result of this disruption and increased dependence on online services, cybercriminals have seized the opportunity presented to them by the pandemic to launch an unprecedent number of Distributed Denial-of-Service (DDoS) attacks. In fact, NETSCOUT observed that for the first time ever, the number of DDoS attacks exceeded the 10 million mark in 2020, with an astonishing total of 10,089,687 attacks. That’s an increase of roughly 1.6 million attacks when compared to the 2019 figure of 8.5 million.
In mid-August, NETSCOUT identified that cybercriminals were exploiting the uncertainty surrounding the pandemic even more when a relatively prolific threat actor – assigned the moniker of Lazarus Bear Armada (LBA), due to the attackers propensity to impersonate the ‘Lazarus Group’, ‘Fancy Bear’, and ‘Armada Collective’ threat groups – began to initiate a global campaign of DDoS extortion attacks.
What is a DDoS extortion attack?
Sometimes referred to as ransom DDoS (RDDoS), DDoS extortion attacks can be characterised by cybercriminals threatening to launch a DDoS attack if a ransom demand has not been met within a certain period of time. In some cases, the attacker initiates a demonstration DDoS attack against selected components of a targeted organisation’s online infrastructure. Following this, an extortion demand for payment, usually via cryptocurrency, would be emailed to the organisation. Typically speaking, the extortion demand will claim that the attacker has up to 2Tbps of DDoS attack capacity ready to be used, and that an attack will take place if the extortion payments are not transferred to the attacker within a set timeframe.
It is worth noting that there is one big difference between DDoS extortion attacks and ransomware attacks. This lies in an organisation’s ability to control its fate. With a DDoS extortion attack, there is always the possibility that data can be recovered. As such, businesses don’t need to pay the attacker, providing that they have an adequate DDoS protection system in place. However, when it comes to a ransomware attack, if attacks are able to successfully exploit data, there’s not much an organisation can do once infected, other than pay the attacker and hope they will provide them with the decryption key – so long as one is available.
Impact of extortion attacks
Mostly, when the extortion demands of the attackers are not met, the follow-up attacks do not end up taking place and the attacker moves on to a new target organisation.
However, this is not always the case. With regards to the ongoing DDoS extortion campaign being led by the LBA group, the attackers started returning to earlier targets. Those businesses that had been able to successfully mitigate the initial DDoS attack against their online infrastructure were then being targeted in follow-up attacks, weeks or even months after the original attack occurred.
The collateral impact of these DDoS extortion attacks can be extremely high. In some scenarios, attacks against the upstream transit Internet Service Providers (ISPs) – that supply internet connectivity to those businesses that are targeted by DDoS extortion attacks – has resulted in significant disruption to bystander internet traffic.
Therefore, with DDoS extortion attacks continuing to rise, there is a significant amount of risk for those businesses that are not prepared. As these attacks are capable of destroying online infrastructure and services, it is necessary to put measures in place prior to an attack in order to protect these key assets, especially with remote working continuing for the foreseeable future. Security experts support this view and are of the mindset that a business should never pay the demanded ransom. Instead, they encourage businesses to put their money and resources towards implementing a strong and effective DDoS mitigation system that prevents organisations from falling victim to DDoS extortion attacks.
How can businesses prevent DDoS extortion attacks?
The majority of DDoS attack techniques and vectors are well-known, meaning that businesses can stop an attack by using established DDoS protection mechanisms. There are a number of steps that businesses can take to prevent themselves falling victim to DDoS extortion attacks. Perhaps the most important thing for organisations to do is to install DDoS countermeasures to protect their public-facing infrastructure before a threat or attack actually occurs. This will provide peace of mind for organisations should they be on the receiving end of a DDoS extortion attack, as the business knows that it has a system in place to block the attack. For those businesses that have adequately prepared to defend their infrastructure, they have experienced very little or no significant negative impact related to DDoS extortion attacks.
Additionally, it is vital for a business to conduct semi-regular testing of its DDoS protection system to make sure that any changes to its online infrastructure are incorporated into its DDoS defence plan. This ensures that all of an organisation’s online infrastructural components are well protected from the threat posed by DDoS attacks. Furthermore, as soon as an organisation receives a message demanding DDoS extortion payment, it should immediately contact the relevant authorities. Whether it be their peers/transit ISPs, security providers, or local authorities, it is vital that businesses know who to contact and notify when they have just received a DDoS extortion demand. A business must ensure that its DDoS defence plans are active and remain vigilant.
Businesses should also learn from previous DDoS extortion campaigns. For example, there can be obvious similarities between the LBA extortion campaign and the DD4BC series of attacks launched from 2014-2016. The campaigns had similar targets, including the finance industry, while the threat actors behind the campaigns also displayed a number of similar methods and techniques.
Though the majority of organisations have the resources in place to prevent themselves from falling victim to a DDoS extortion attack, it is still necessary to take the threat posed by these DDoS attacks seriously. Providing that businesses have invested in a strong and effective DDoS mitigation system in place, then they should not fear a DDoS extortion attack.