Pay Us the Money or the Website Gets It: Extortion by DDoS
Receiving an extortion letter instructing to “pay us in bitcoins or your site will suffer a distributed denial-of-service (DDoS) attack” has become almost commonplace in the last two years. They say there’s nothing new under the sun, and this applies to the Internet just as much as anything else.
As soon as businesses realized there was money to be made by having a website and selling things, other people realized that there was money to be made by taking it down or threatening to do so. It’s an old cycle that has happened every time a new method of making money has been discovered. Over the last 24 months, DDoS attacks have become a favorite tool for extortion.
A History of Cyber Extortion
Extortion by DDoS is old hat for those in the online gaming and gambling sectors. In the late 1990s, as the fledgling Internet started gaining traction, one of the biggest concerns for organizations was DDoS attacks. If your site was offline, customers would rather go check out one of your competitors than wait for it to be available again, and some of them never return.
Later, it was the hospitality sector — hotels and other online booking services — that started suffering attacks. While these strikes weren’t uncommon, they also weren’t newsworthy, in part because businesses downplayed their impact and their effects were still relatively minor to businesses in the grand scheme of things.
Over the last couple of years, things have changed — and not for the better. In September 2014, a group calling themselves DD4BC (DDoS for Bitcoin) began sending CFOs and CSOs emails stating, “Pay us or else,” and threatening to bring hundreds of gigabits per second of traffic to bear against the organization. Many companies discounted the emails only to see their sites impacted by the promised traffic, first for a short burst of time and later for an extended length, though mostly in the megabit range rather than the gigabit.
While there’s nothing more than rumors of organizations paying the extortion demands, the fact that DD4BC kept up the attacks until July 2015 suggested there was enough money being made to continue the efforts.
Copycats Attempt Additional Scams
Though DD4BC stopped their attacks for reasons unknown, it doesn’t mean we’ve seen a decrease in the use of DDoS for extortion. In fact, a number of copycats have sent out emails mimicking DD4BC over the past year. One new group calling itself the Armada Collective arrived on the scene in October.
Using similar tactics to DD4BC, the Armada Collective demands approximately $5,000 to $10,000 in bitcoins to an anonymous account or an organization will be hit with more than 1 terabit per second of traffic. A short demonstration of 15 minutes or fewer is then performed. If the extortion isn’t paid, a longer attack commences, with the cost to stop going up. The most recent high-profile target of the Armada Collective has been secure mail services such as ProtonMail.
The Security Intelligence Research Team (SIRT) at Akamai (full disclosure: I work for Akamai) has been tracking this new organization and believes that the Armada Collective is a copycat group distinct from the earlier DD4BC. While the threat letter promises an attack of 1 Tbps, the reality of the group’s capabilities is quite a bit more modest.
The initial attacks by the group were under 1 Gbps, though more recent attacks have been larger, topping out at just over 50 Gbps in the case of ProtonMail. The majority of this traffic is generated by spoofing the IP address of the target and reflecting network protocols, such as DNS and NTP, off vulnerable servers around the Internet, but there is also application layer traffic in the mix.
About the New DDoS Attacks
These attacks aren’t isolated examples or one-time events. Multiple other secure mail services have received the same threats, and blogger Graham Cluley even came under attack after writing about the Armada Collective. For every one of these publicly acknowledged targets, it’s likely there are multiple extortion recipients who won’t disclose that they’ve been threatened. It’s also highly likely that the Armada Collective has moved on from large organizations who can afford the technology to protect themselves to smaller organizations that might not have the expertise or systems to protect themselves — they would rather pay to make the attacks go away.
Companies should develop a plan for cyberattacks that is both proactive and responsive, placing them in a position to effectively defend against DDoS attacks. In my opinion, paying a ransom is a mistake. ProtonMail paid and the attacks continued, though the Armada Collective claims it was a second group that picked up the charge.
Whether this is true or not, paying organizations like DD4BC or the Armada Collective only encourages them to continue their attacks. They may stop attacking your organization in the short term and move on to other targets, but groups like these talk to each other. Once it’s known that your organization will pay, the odds of becoming the target of another attack increase greatly.
It is unlikely that the use of DDoS for extortion is going to come to an end anytime soon. The tools needed to attack your site are cheap and easy to use. That attack that you’re being asked to spend $6,000 to stop probably only costs the attacker $40 an hour to launch, meaning every time a business pays, it’s funding 150 hours of attacks on other targets. Paying attackers fuels their capabilities and makes it more likely they’ll continue to attack businesses globally.
There are multiple ways to proactively prevent DDoS attacks, from on-premises equipment to solutions offered by ISPs and cloud-based services that fight the attacks at their data center rather than yours. Reaction to online extortion shouldn’t be any different than if you experienced it in the real world: Contact law enforcement and prepare your defenses.