Get a free application, infrastructure and malware scan report - Scan Your Website Now

What is a DDoS Extortion Attack and How do you Respond to it?

Posted DateJuly 27, 2021
Posted Time 3   min Read

DDoS extortion attacks have skyrocketed over the past year and are expected to trend upwards in the future too. DDoS attacks aren’t new threats. However, cybercriminals are leveraging these attacks to extort money from organizations by causing downtimes and preventing legitimate users from accessing the web application. With the global pandemic forcing organizations to adopt remote working, cybercriminals have seized the opportunity to launch unprecedented numbers of DDoS attacks, including DDoS extortion attacks.

In this article, we help you understand what these attacks are and how to respond to them.

What are DDoS Extortion Attacks?

DDoS Extortion Attacks, also known as Ransom DDoS (RDDoS) attacks, are attacks where malicious actors extort money from organizations/ individuals by threatening Distributed Denial of Service (DDoS). Similar to DDoS attacks, DDoS Extortions prevent legitimate traffic from accessing the application/ service. This causes significant operational disruptions, financial losses, legal costs and reputational damage.

How do RDDoS attacks work?

Typically, one of three methods is used to carry out RDDoS attacks:

  • The attacker could carry out the DDoS attack and send a ransom note/ email to the organization demanding that they pay the ransom to stop the attack.
  • In some cases, they may initially target a specific element of the organization’s infrastructure to conduct a demonstrative attack to show that the DDoS Extortion threat is legitimate. They will follow this limited attack up with a ransom note threatening a larger attack.
  • In other cases, the attacker may send the ransom note threatening to carry out DDoS. It is possible that the attacker is incapable of carrying out the attack and may well be making an empty threat. However, given the potential consequences of downtimes and crashes, it would not be wise to assume all are empty threats. Most attackers typically conduct pre-attack reconnaissance to identify vulnerabilities and weaknesses to exploit, before issuing the threat.

Whether the ransom note comes before (if the attacker follows through with their threat) or after the attack, DDoS Extortions work like regular DDoS. They overwhelm applications or services with traffic that slows them down or causes a crash, making them unavailable to legitimate users. If the ransom is paid, the attack may stop, or the attacker could come back with additional demands. It is strongly recommended not to pay ransoms.

Recent DDoS Extortion Attacks

Beginning in mid-August 2020, cybercriminals posing as the Fancy Bear (APT 28) and Armada Collective launched RDDoS campaigns demanding bitcoin payment (ranging USD 50,000 – 300,000) to prevent attacks. These DDoS Extortion campaigns were largely targeted at the financial services and travel industry.  Upstream internet transit providers also faced RDDoS attacks.

Get URI-Based DDoS Protection for your Applications

Most used attack vectors

Attackers used one or more of the following DDoS attack vectors to carry out RDDoS.

  • DNS
  • NTP
  • CLDAP reflection/amplification
  • Spoofed SYN-flooding
  • ARMS
  • WS-DD
  • SSDP
  • GRE and ESP packet-flooding
  • TCP ACK-floods
  • TCP reflection/amplification attacks
  • IPv4 protocols launching packet-flooding attacks

Responding to DDoS Extortion

Should you pay the ransom?

NO.

Aside from the fact that ransoms cost monetary losses to the organization, paying a ransom does not guarantee that the attacker will stop their activities. The attacker may not stop the DDoS attack as agreed or may initiate the attack anyway or may come back in the future with additional demands/ subsequent attacks.

Secondly, the DDoS Extortion threat could be an empty threat. This means the organization has paid the attacker for nothing.

Thirdly, ransom payments enable attackers to fund their extortion campaigns better. They could use the money to expand their capabilities, improve attack sophistication or buy advanced technology for improved reconnaissance.

How to Respond?

If the organization receives a ransom note, the first thing to do is to report it to the appropriate law enforcement authorities. They must also engage with peers, transit ISPs and other organizations providing critical internet-facing services (authoritative DNS hosts, etc.).

If you already have an effective DDoS protection from next-gen service providers like Indusface, you can rest assured that your application will be always available, even if the threat actor initiates the attack.

If you do not have any DDoS security controls in place, put safeguards in place to mitigate potential attacks. If you are already under attack, get in touch with a security service provider to stop the attack and minimize the impacts.

Conclusion

Given the unprecedented number of DDoS extortion attacks, the organizations that have fared best are the ones with robust DDoS protection in place. Those without appropriate defense measures have either had to pay ransoms or scramble on D-day/ under threat of impending attack to deploy security controls to minimize the disruptions caused. So, implement effective DDoS mitigation practices and security controls today to nullify the impact of RDDoS.

Best Application Security Service Provider

Ritika Singh

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

DDoS Attack Mitigation Playbook
DDoS Attack Mitigation Playbook for SOC and DevOps Teams

Facing DDoS threats? Arm your SOC & DevOps teams with effective mitigation strategies. Explore geo-fencing, IP blacklisting, and rate limiting in our playbook.

Read More
Types of DDoS Mitigation Services
The Right Choice – Types of DDoS Mitigation Services Demystified

According to Gartner, downtime costs enterprises around $5,600 per minute. For any business, it is a significant loss since the median downtime of a DDoS attack lasts between seven to.

Read More
poor firewall implementation paves way for DDoS attacks
Poor Firewall Implementations Pave Wave for DDoS Attacks

What are these implementation flaws that make firewalls susceptible to DDoS attacks? What can you do to fortify their security posture?

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!