DDoS Ransom Attacks: What You Need to Know

A DDoS ransom attack occurs when a cyber-criminal tries to extort money from an organization by posing a threat to their web applications. The 11 biggest DDoS ransom cyber-attacks of 2020 resulted in the victim organizations spending nearly $144m to pay a ransom, investigate and rebuild their applications. Growth in sophisticated and diversified attack vectors led to a 50% jump in DDoS ransom attacks in the third quarter of 2020 versus 2019. Even the length of an average DDoS attack saw a spike of 24% in 2020

How Does a DDoS Ransom Attack Work?

To execute this attack, hackers flood a network with large amounts of incoming traffic to overload it. Within a matter of minutes, the server is exhausted, preventing the web application from functioning effectively. Hackers create a ‘distributed’ network of devices that they infect with malware and send requests to the targeted application. These days, cyber-attackers can buy cheap botnet services on the dark web to do the same. 

In August 2020, the New Zealand stock exchange suffered from multiple outages as a result of being repeatedly attacked. In November 2020, SunCrypt ransomware was used to attack Irish home appliances company Glex Dimplex, forcing them to resume negotiations with the hackers and pay the ransom.

How to Respond to a DDoS Ransom Attack?

Usually, hackers send a ransom note threatening an impending attack. They may take credit for a previous attack or claim affiliation with hacker groups like the Lazarus Group, Fancy Bear, etc. The ransom note also mentions the deadline and the instructions for delivering the payment.

The adverse impact of a ransom attack can be curbed if dealt with swiftly. Let us look at a possible course of action:

Check for a demo attack: sometimes, hackers carry out a small attack to demonstrate their capabilities. If the ransom note mentions the same, it is advisable to check the network logs for any traffic spike justifying a small attack.

Educate the workforce: a ransom attack is a numbers game. The notes are often sent to a large base of publicly available email addresses. Even if some of the recipients end up paying the ransom, the job is well-done. Since any one of your staff may receive such mail, it is important to educate them on what to do in case they receive a threat. Organizations must also create a clear line of communication and ownership, to develop a swift coping mechanism.

Never pay the ransom: paying a ransom to criminals is never effective. It can stop an attack temporarily, but there is no guarantee that such extortion would not continue in the future. An organization giving in to these illegal demands is seen as a soft target, which means that it is more likely to be targeted again. Secondly, paying a ransom to attackers funds their future crimes and sets a precedent for validating their approach. In principle, it is better to pay more to mitigate the risk than to pay the ransom, as in the long run, it will become more cost-effective not just for your business but also for the industry as a whole.

Dealing with a fake threat: in some cases, a ransom note may not be credible, and a firm ends up coughing up money for no reason. Hence, it is always advisable to never pay the ransom and instead focus on strengthening the organization’s cybersecurity measures. Having said that, any security threat must be treated seriously. The best way to do that is by investing in DDoS protection tools.

Common Protection Strategies

Ransom attack mitigation involves protecting on-site servers and network equipment by taking the following steps:

  1. Detecting the early warning signs: to mitigate a ransom denial of service attack, it is important to spot the early warning signs. To begin with, keep tabs on the website’s real-time traffic. There are website security solutions that can help in doing so. Even Google Analytics can be used for checking the real-time traffic by turning on the real-time settings. You can also check a website’s data usage statistics for any spike in numbers. If the usage is topping abnormally, it may point towards an attack.
  2. Installing a web application firewall: since this attack targets a web server, security measures like a web application firewall can be used. You may also use a firewall plugin on the website to monitor the incoming traffic and block any suspicious requests. Hiring a professional to implement DDoS security measures is also a good way to stay ahead of the problem.
  3. Emergency measures: in case you find yourself in the middle of a storm, you can take down the website temporarily to stop the attack. Before making it live again, take preventive actions such as installing a firewall.

With their increasing frequency and severity, protection against DDoS ransom attacks is a dire necessity for organizations. Fully managed web application security solutions like AppTrana help to protect effectively against DDoS ransom attacks. AppTrana can monitor incoming traffic, detect vulnerabilities and helps to instantly protect the applications with virtual patching without affecting the performance.

Brought to You by

What’s Hot on Infosecurity Magazine?