Cyber Extortion: Fighting DDoS Attacks

DDoS , Risk Management

How to Defend Against the Surge in Shakedowns Cyber Extortion: Fighting DDoS Attacks

Cyber-extortion attacks are on the rise for one reason: The lure of easy money.

See Also: Cyber Insurance Checklist - What's Right for Your Risk?

Such attacks often unfold in this way: Attackers disrupt a site for a short period with a distributed denial-of-service attack, send a ransom note threatening further disruption, and if the ransom doesn't get paid, sometimes make good on that threat.

An increasing number of attack groups have been waging DDoS extortion campaigns globally, often targeting multiple organizations in any given sector at once before moving on to a new sector and starting afresh.

"We have seen a lot of activity in relation to the 'DDoS as an extortion' technique being used by groups such as the Armada Collective and also DD4BC," says Brian Honan, a Dublin-based information security consultant who heads Ireland's computer emergency response team. DD4BC is short for "DDoS for Bitcoin," an extortion racket that first emerged in July 2014.

Law enforcement agencies continue to track and sometimes arrest suspected DDoS extortionists, despite their use of bitcoins to try to disguise their identity (see How Do We Catch Cybercrime Kingpins?). Earlier this month, for example, the EU's law enforcement intelligence agency, Europol, announced that it helped coordinate an operation that identified "key members of the organized network" behind DD4BC, located in Bosnia and Herzegovina, after which both a "main target" as well as another suspect were arrested there. But authorities haven't released any further details (see Europol Announces DD4BC Arrests).

It's unclear just how widespread DDoS extortion attacks are, says Honan, who's also a cybersecurity adviser to Europol. "I have no sense how many [ransom notes] are being sent," he says. "One industry we have seen as being victims are online service providers such as email and hosting providers, e.g. Protonmail in Switzerland," Honan says. Protonmail is a Geneva-based encrypted email service provider that paid 15 bitcoins (about $6,000) this past November to extortionists, only to have its site get knocked offline anyway. And banking sector experts say that financial services firms are among the most-targeted organizations too.

Extortion Comes in Multiple Forms

Roland Dobbins, a principal engineer at DDoS defense firm Arbor Networks, notes that attackers typically employ DDoS extortions for one of three reasons:

Profit: Criminals are looking for easy bitcoins. Ideology: Many attacks, Dobbins says, are ideologically motivated, with attackers "trying to force the targeted organization to stop doing something the attackers find objectionable, or start doing something the attackers find desirable." Bickering: Some DDoS extortions are what he refers to as "intra-miscreant," such as rival fraudsters demanding each others' credit card dumps.

Dobbins says a ransom demand can range anywhere from 1 to 100 bitcoins (worth about $400 to $40,000). In some cases, victims who have paid the ransom then receive repeat, increasing ransom demands from the same extortion gang.

A History of Online Extortion

Using online channels and the threat of disruption to extort victims isn't new. In fact, DDoS extortion attacks date back to the late 1980s, Dobbins says, when "warez" gangs - referring to illegal copies of software - regularly shut down each other's IRC channels over petty disputes.

By the mid-1990s, the first packet-flooding attacks against websites appeared as attackers threatened further disruption unless victims paid a ransom via wire transfer, Dobbins says. By the late 1990s, attackers focused on niche sites that were least likely to appeal to authorities, such as online gambling and adult entertainment sites. And that continues to an extent today, with attacks against encrypted email service providers, bitcoin miners, cryptocurrency exchanges and even banks, he says.

DDoS mitigation expert Roland Dobbins details the history of DDoS extortions and recommended mitigation techniques.

After temporarily waning, cyberextortion attacks have surged in recent years, Honan says, especially those targeting organizations in the U.S. and Europe. In November 2015, for example, three Greek banks reported multiple website disruptions after they refused to accede to extortionists' bitcoin demands (see Greek Banks Face DDoS Shakedown).

Responding to DDoS Extortion: 8 Steps

With the threat of DDoS extortion attacks on the rise, here are seven steps that security experts recommend organizations pursue to defend themselves against related threats and attacks:

React: Take any extortion threat seriously. Immediately "spin up" an incident response team to manage your organization's response to any such attacks or threats. Defend: Review DDoS defenses to ensure they can handle attackers' threatened load, and, if necessary, contract with, subscribe to or buy an anti-DDoS service or tool. Alert: Warn the organization's data centers and ISPs about the threatened attack, which they may also be able to help mitigate. Report: Tell law enforcement agencies about the threat - even if attackers do not follow through - so they can amass better intelligence to pursue the culprits. Withhold: Never pay attackers, which encourages repeat - and copycat - attacks. Fallback: If an attack occurs, for its duration, redirect website users to a previously unrevealed and pre-prepared backup site, or else to a ready-made microsite. Review: Continually review and update business continuity plans to prepare for any disruption in order to minimize the impact to the organization's operations. Monitor: Consider implementing some type of threat-intelligence capability to track these types of threats.

Paying Ransoms Doesn't Pay

Regardless of who's behind any online extortion attempt - or their motivation - experts' advice for dealing with such threats is clear: "Don't pay the ransom," Honan says. "Anyone we've seen or dealt with that has not paid the ransom, all of them have not had a subsequent DDoS afterwards."

By contrast, Arbor's Dobbins says some organizations that have paid ransoms have been subjected to repeat disruptions and increasing ransom demands. For example, Protonmail in Switzerland reported that after its website was knocked offline for about 15 minutes and it received a ransom notice, it "grudgingly agreed" to pay the ransom after being pressured by its ISP to do so.

But ProtonMail then got hammered by a second, much larger DDoS attack anyway, although officials say no related ransom note was ever received. The attack not only knocked ProtonMail offline, but also disrupted its ISP's data center and hundreds of its other downstream customers. "We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless," ProtonMail said in a blog post. "This was clearly a wrong decision."

Security experts say the right decision for DDoS ransom-demand victims is to work with law enforcement authorities. "The recent [anti-DD4BC] operation and arrests are a good example of why talking to law enforcement is a good thing," Honan says. "All that information gets shared with Europol, who then can analyze it and depending on the results of that analysis set up an operation."

Regarding the @EC3Europol action against DD4BC, big kudos to all those victim organisations who worked with LEA to enable police take action

But the importance of preparation - including maintaining logs to understand what normal network-traffic volumes look like, keeping all Internet-facing systems fully patched and working with your ISP and DDoS mitigation services - cannot be overemphasized, according to the U.K.'s computer emergency response team (see The CISO's Role in Fighting Extortion).

"As part of normal security measures, liaise with your ISP or Internet hosting provider so they can be ready to provide traffic filtering, IP blocking and additional bandwidth to help mitigate any disruption," a CERT-UK spokesman tells Information Security Media Group. "In attacks seen so far, upstream filtering of specific protocols appears to have been reasonably effective."