DDoS attacks
    that also demand
    a ransom
    add new twist
    to an old cybercrime

  • Author: David Grady

Distributed Denial of Service (DDoS) attacks used to be simple: a cybercriminal would overwhelm a website with a tsunami of fake page requests and then laugh like a comic book villain when the website crashed.  But as network architecture has evolved, DDoS ransom attacks have evolved, too – leaving not just public facing websites vulnerable but critical applications and business processes dependent on communication networks also susceptible to disruption.   

And now many cybercriminals are demanding a ransom payment to stop their DDoS attacks – a new twist on an old attack method, likely inspired by the success of recent high-profile ransomware attacks.

Ransomware and DDoS are two very different kinds of attacks, each demanding a specific set of capabilities to mitigate. So when a DDoS attack that features the additional element of a ransom demand occurs, security leaders must combine the best practices for mitigating those two types of attacks into a whole new way of fighting back.

DDoS is a persistent threat

The merging of DDoS attacks and demands for ransom payments should not come as a surprise, according to Alex Pinto, who leads the team of researchers that creates the annual Verizon Data Breach Investigations Report (DBIR).  

Pinto says the 2021 DBIR – published in May -- shows that DDoS attacks were the most common type of security incident among the nearly 60,000 global incidents it studied for the report. The frequency of DDoS attacks have been growing steadily in the 14 years Verizon has published the report.  And the frequency of ransomware attacks – which maliciously encrypts data so as to hold IT systems hostage -- also rose significantly last year, according to Verizon.  Ransomware attacks where data is encrypted and stolen are now the third-leading cause of data breaches.   

Clearly, cybercriminals have seen the potential upside of combining these two attack methods.  Cheap “DDoS as a Service” tools -- readily available on the dark web – are accelerating the pace and size of such attacks.  

“DDoS attacks are extremely difficult to predict,” Pinto explains, “so it’s important for organizations to be able to detect and remediate them as fast as they can.  And if the attack includes an extortion element, that makes the task at hand even more challenging.  That kind of situation requires specific technical capabilities -- and a strong incident response plan.”

Size is not the primary concern in DDoS attacks

A prolonged and unmitigated DDoS ransom attack can lead to revenue loss, reputational damage and -- when aimed at critical infrastructure -- potential harm to public safety.  Some headline-grabbing DDoS attacks in recent years featured massive amounts of disruptive traffic being aimed at victims, Verizon’s research shows that most DDoS attacks are of a size that can easily overwhelm customer bandwidth or on premises equipment but are almost always manageable with a cloud based DDoS mitigation service.   Last October, for example, a well-known technology company reported mitigating a 2.54 terabyte attack – one of the largest DDoS attacks ever recorded yet according to Verizon’s DBIR research, and yet ninety-five percent of (DDoS) incidents fell between 13 Mbps and 99 Gbps.  These types of attacks can not be mitigated without the use of a cloud based, carrier-agnostic DDoS mitigation service like Verizon’s DDoS Shield.

An effective DDoS mitigation service is able to discern bad traffic from good and can redirect that traffic away from critical systems.  Because DDoS attacks target both the network and application layer, in addition to needing a strong DDoS solution, many organizations can also benefit by employing a cloud based Web Application Firewall (WAF) service to extend their protection.  Verizon’s Web Security, which offers a WAF feature, helps businesses protect their website, user applications and data by filtering, monitoring and blocking bad HTTP traffic on a near real-time basis.

“If you receive a DDoS attack threat, Verizon recommends that you do not pay.  Immediately ensure your DDoS mitigation and cyber resiliency plans are tested and notify your ISP,” says Wes Sobbott, Vice President, Network Security at Verizon.  “Attackers are also still targeting Authoritative DNS services, as these types of attacks are easy to launch and defense if much more difficult.   “We recommend that organizations do not host public-facing authoritative DNS services within their environment, but instead rely on third-party cloud providers to provide this service” says Sobbett.

Are you ready for a ransomware attack?

Using data provided by the FBI Internet Criminal Complaint Center (IC3), the Verizon DBIR team reported that for ransomware attacks, the median amount of money lost by the victim as a result of the attack was $11,150. The range of losses in 95% of the ransomware cases fell between $69 and $1.2 million.

Defending an organization against the growing threat of ransomware means knowing how the ransomware gets in in the first place, and which controls – from technology and business process refinement to employee training – are needed. 

The 2021 DBIR explains that ransomware attacks have some variety in terms of how the ransomware gets on the system, with threat actors using stolen credentials or ‘brute force’ tactics.  Nearly 60 percent of the ransomware cases the Verizon team studied involved direct install of ransomware or installation through desktop sharing apps. According to the report, the rest of the vectors were split between email, network propagation and downloaded by other malware.  “For these types of incidents and breaches, we largely see servers being targeted, which makes sense considering that’s where the data is located,” the DBIR states.

Preventing ransomware attacks may be very difficult, but there are still ways to protect systems and reduce the risk. To help organizations combat ransomware, the DBIR links its findings to a series of security controls from the Center for Internet Security that can be enacted by an organization and are considered industry-standard for building an effective security program.

Incident planning can lessen the impact of an attack

If ransomware does strike, your organization had better have a plan in place to manage the crisis, the experts say.

“A ransomware attack forces organizations to make some very tough decisions,” says Jim Meehan, Senior Investigations Manager in Verizon’s cybersecurity practice.  Meehan, who fought crime and cybercrimes as a member of the United States Secret Service for more than two decades, explains: “Should we pay? How much is too much?  Who approves the payment, and where do we get the money from? And what if the hacker takes the payment but leaks our data anyway?  You have to have a specific ransomware contingency plan and policy in place, well before such an attack, because you don’t want to be making those decisions in real time.  The longer an incident goes on, the more damage it will do to the company.” Meehan advises business leaders and security teams to collaborate regularly to ensure their ransomware response plans are up to date.

On June 2, 2021, Anne Neuberger, cybersecurity adviser at the National Security Council released an open letter to “corporate executive and business leaders” urging them to strengthen their ransomware protections by following a series of recommendations that include incident response planning and backing up sensitive data. 

"The threats are serious and they are increasing,” the White House letter stated.  “We urge you to take these critical steps to protect your organizations and the American public.”

Learn how Verizon can help your organization enhance its protection against DDoS and ransomware attacks.

David Grady is an ISACA-Certified Information Security Manager (CISM) and Chief Cybersecurity Evangelist at Verizon Business Group.