Ransomware has received a lot of attention recently, but an older threat — extortion by threat of distributed denial-of-service (DDoS) attacks — also demands our focus. By making servers or services unavailable, DDoS attacks can be crippling to both an organization’s finances and its brand reputation. DDoS attacks can be simple or sophisticated, but they’re calculated nonetheless and are usually profit-driven. They can also be used to cover up something more sinister, as seen with the Dyre Wolf campaign. Adding the element of extortion to this type of attack only magnifies the gravity of the situation and the potential financial loss to the targeted organization.

DDoS Extortion in a Nutshell

Not all DDoS extortion attacks run the same course, but several publicly announced incidents have had similar characteristics. Extortionists often illustrate their capabilities by performing a small attack such as shutting down a website for 15 minutes via a volumetric attack. This is followed by an email requesting that the victims pay a monetary sum within a certain period of time — say, 24 hours — or face more attacks.

Ransom notes are often candid, intimidating and designed to coerce companies to pay up — quickly. The instructions are clear, the threat is evident and time is usually limited to further increase the exigency of the threat. If the ransom is not paid within the specified period of time, the attackers often follow through on their promise of additional attacks. What do you do? To pay or not to pay? That is the question.

Read the complete research paper: Extortion by distributed denial of service attack

Not a Bitcoin Miner? Doesn’t Matter

Extortionists are diversifying their targets. DDoS extortion attacks have been primarily a concern for small Web-based companies, gambling websites and virtual currency-based businesses. However, there is evidence that attackers are broadening their scope and diversifying their targets to include different industry sectors, regions and larger organizations. In May of this year, two of the largest banks in Hong Kong were targeted with DDoS attacks that were followed by a note demanding payment. These attacks are suspected to be the work of extortionist hacker group DD4BC.

DDoS Attacks: Difficult to Deflect Without Specialized Skills and Tools

A DDoS attack can be difficult to deflect without specialized mitigation measures in place simply because there is no single attacker to defend from; the targeted resource is flooded with requests from many hundreds or thousands of multiple sources. During an attack, organizations may experience significant increases in page load times, transactions could fail or services could be made completely unavailable.

Organizations with a multifaceted approach will be better equipped to defend against volume-based, protocol-based and application-based DDoS attacks. Companies should develop a plan that is both proactive and responsive, placing them in a position to effectively defend against DDoS attacks. The alternative is to negotiate with the attackers and pay up — potentially leading to future extortion attempts. There are multiple ways to proactively prevent DDoS attacks. For recommendations, refer to the research paper “Extortion by DDoS.”

View all the latest IBM Security Services Research

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today