We've seen a rise in extortion and ransom-based DDoS (RDDoS) attacks targeting organizations around the world. While RDDoS threats usually do not result in an attack, the cases seen in recent months show that these attackers are willing to carry out the threat, launching large scale DDoS attacks that can overwhelm organizations that lack adequate protection.
In an RDDoS attack, a malicious party threatens a person or organization with a cyber attack that could knock their networks, websites, or applications offline for a period of time, unless the person or organization pays a ransom.
The average cost of a DDoS attack for an enterprise is $2 million, according to a Kaspersky Lab study. Additionally, 23% of companies report losing revenue or potential customers, and 22% saw their reputation damaged among clients. Facing these possible consequences, paying a ransom to eliminate the threat of a DDoS attack may seem like a viable option. Paying the ransom is never a good idea though; it just provides additional resources for the attacker to carry out even more attacks in the future.
As a leader in DDoS prevention solutions, Cloudflare is well positioned to protect an organization against RDDoS and recommends that organizations take steps to protect themselves from the attack.
DDoS-based extortion attempts are initiated when victim organizations receive threatening messages demanding payment by a certain date and time. If they refuse to pay the ransom or meet the payment deadline, attackers threaten to carry out a DDoS attack against their networks and web properties. In many cases a demonstration attack will also be launched by the malicious party to prove they have the capabilities to launch an attack.
Cloudflare has seen a recent spike in enterprise customers reporting RDDoS attacks. The malicious groups taking claim for the current threats of RDDoS attacks include well-known "hacker" groups such as Cozy Bear, Fancy Bear, and the Armada Collective.
We have seen empty threats from some of these groups in the past — attackers looking to make some quick cash assuming a percentage of organizations they threaten will pay the ransom no matter what. Recent attacks, however, have shown that these threats can and have been carried out — although organizations with DDoS mitigation in place remain protected.
DDoS attacks are always a threat, but 2020 has seen an increase in DDoS activity. The number of layer 3 and layer 4 DDoS attacks seen across the Cloudflare network doubled in Q2 compared to Q1 of 2020. Additionally, in Q2 2020, Cloudflare saw some of the largest DDoS attacks we have ever mitigated, including one attack that sent 754 million packets per second at its peak.
This trend has continued into the second half of the year. As DDoS attacks continue to increase, it is no surprise that RDDoS extortion attempts are also growing in popularity.
With the shelter-in-place orders as a result of the COVID-19 pandemic, organizations are more reliant on staying online than ever before. This dependency on the Internet leaves organizations susceptible to the threat of attack and open to extortion. It is clear that these attacker groups are looking for vulnerable organizations, regardless of size or industry, as we have seen the profile of targeted organizations vary widely.
The criminals behind the recent wave of ransom DDoS attacks claim to represent a few different groups, including Cozy Bear, Fancy Bear, and the Armada Collective. While their claims may be true, they are difficult to verify, and it has been a common practice for DDoS extortion racketeers to fake ties with well-known "hacker" groups to give their threats more weight.
Criminal groups have operated under the "Armada Collective" name for many years now. In 2015, a group called "Armada Collective" carried out several DDoS attacks. In 2016, they reappeared and extorted money from several victims by threatening DDoS attacks, claiming to be capable of attacks at "over 1 Tbps per second [sic]." Whether or not this was actually the same person or group as the Armada Collective that was responsible for the attacks in 2015 is unknown. According to our research, the group collected several ransoms but did not appear to actually carry out any DDoS attacks in 2016.
In 2020, the Armada Collective is active again — though it is still difficult to discern whether this is the same group or a different group claiming the same name. In contrast to the 2016 Armada Collective "attacks," this attacker or group is actually following through on its threats to DDoS its targets, as in 2015.
Fancy Bear is a Russia-based group that carries out cyber crime and espionage. In the past, Fancy Bear has targeted governments, political figures, and journalists, mostly using spear phishing attacks and malware exploits. The group is perhaps best known for compromising the U.S. Democratic National Committee's servers and network in 2016.
There have not been any credible reports of Fancy Bear using DDoS attacks to achieve their goals. It is not likely that any ransom DDoS attackers actually represent Fancy Bear — likely they are merely impersonating Fancy Bear.
Cozy Bear is another Russia-based cyber espionage group that tends to target political figures or groups. They have developed their own malware toolsets, which they use in combination with spear phishing attacks to compromise networks and servers. As is the case with Fancy Bear, there are no credible reports of Cozy Bear using DDoS as an attack method.
Step 1: Do not pay the ransom
Meeting the attackers' demands does nothing to prevent a potential attack, since it does not give criminal groups any incentive to keep their word. An organization that pays the ransom may be seen as an even more desirable target, since they have shown a willingness to comply with illegal demands.
Step 2: Alert the appropriate law enforcement authorities
Extortion is a crime. If someone has attempted to extort money from your organization by threatening a DDoS attack, make sure to file a report with the authorities.
Step 3: Deploy DDoS protection
DDoS ransom threats may seem intimidating, but most DDoS protection vendors can provide more than enough protection against the threatened attacks. The largest publicly disclosed DDoS attack in history, at 2.54 terabits per second (Tbps), took place in September 2017 and was mitigated.
While ransom DDoS attacks are on the rise, with DDoS protection in place, they do not have to be a concern. Contact Cloudflare for instant protection if your organization is under attack — with a no-contract process, under-attack companies can be onboarded within hours.
Dive deeper on this topic: get the Five Best Practices for Mitigating DDoS Attacks ebook to learn more about how to protect your organization from DDoS attacks.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.