Ransomware dominated the cyber crime scene last year, causing more than $ 1 billion in losses worldwide and making criminals hundreds of millions of dollars in profits. Even so, the distributed denial of service (DDoS) attacks that had cooled down have returned to full activity and are now being used by ransomware operators to put more pressure on companies that have been hacked.
Reports from DDoS mitigation companies point out that 2020 has set a record in DDoS attacks, both in terms of attack volume and number of attack vectors used. What’s worse is that the upward trend has continued this year, according to Akamai, which tracked three of the six largest DDoS attacks in history during February, in addition to other attacks that exceeded 50 Gbps in the first three months of the year, more than recorded throughout 2019. The company estimates that attacks over 50 Gbps could bring down most online services that have no anti-DDoS mitigation due to bandwidth saturation.
The reasons behind DDoS attacks are varied, from unscrupulous people who want to stop competing services to hacktivists who want to send a message to organizations they disagree with. However, extortion has been one of the main factors driving this type of illegal activity, and undoubtedly the most profitable, because DDoS attacks do not require large investments. Rental DDoS services, for example, cost just $ 7 per attack on dark web forums, making them accessible to just about anyone.
Now, the DDoS that comes without being used by various groups of ransomware as an additional extortion technique, which is the rescue DDoS, or RDDoS. This type of attack has also been used by hacker groups sponsored by nation states, such as Fancy Bear (Russia) or Lazarus (North Korea). The group, which has been dubbed the Lazarus Bear Armada (LBA), first launches demonstration DDoS attacks ranging from 50 to 300 Gbps against selected targets. Then he goes on with an extortion email claiming to have 2 Tbps of DDoS capacity and demanding payment in Bitcoin.
The group targets predominantly organizations in the financial, retail, travel and e-commerce sectors around the world and appears to be doing recognition and planning. They identify non-generic email addresses that victim organizations are likely to monitor and target critical, though not obvious, applications and services, as well as virtual private network concentrators (VPNs), indicating an advanced level of planning.
Unlike groups like the LBA, which rely solely on RDDoS to extort money from organizations, ransomware gangs use DDoS as an additional lever to convince victims to pay the ransom, just as they use data leak threats. In other words, some ransomware attacks are now a triple threat that combines file encryption, data theft and DDoS attacks. Among the ransomware gangs that use or claim to use DDoS attacks in this way are Avaddon, SunCrypt, Ragnar Locker and REvil.
Akamai saw a 57% increase in the number of unique organizations being attacked year after year. “Clinging to the hope of a large Bitcoin payment, criminals began to increase their efforts and their attack bandwidth, which puts an end to any notion that DDoS extortion was old news,” company researchers said last month in a report.
Also according to Akamai, almost two-thirds of the DDoS attacks seen last year included several vectors, some with up to 14 vectors. The most popular DDoS vector in 2020 and in recent years has been DNS amplification. Other protocols that are often used for amplification include Network Time Protocol (NTP), connectionless light directory access protocol (CLDAP), Simple Service Discovery Protocol (SSDP) and Web Services Discovery (WSD or WS-DD) , Remote Desktop Protocol (RDP) over UDP and Datagram Transport Layer Security (DTLS).