Attacks on WAFs Triple in Size as Ransom Demands Re-Emerge

The last quarter of 2020 has seen a wave of attacks on websites, in addition to ransom DDoS or “RDoS” attacks, which have targeted business across a number of industries for financial gain. 

According to research from Akamai, the largest of these DDoS attacks sent over 200Gbps of traffic at their targets as part of a sustained campaign of higher Bits Per Second (BPS) and Packets Per Second (PPS) than similar attacks had displayed a few weeks prior.

“Prior to August, the signal vectors had been primarily used to target the gaming industry,” the company claimed. “Starting in August, these attacks abruptly swung to financial organizations, and later in the cycle, multiple other verticals.”

Akamai explained that none of the vectors involved in these series of attacks were new, as most of the traffic was generated by reflectors and systems that were used to amplify traffic. “Seeing a common set of protocols being used as amplifiers in a DDoS campaign is, by itself, an indicator of new tools, or configurations, being used by criminals, rather than an indicator of an extortion campaign,” it said.

However, multiple organizations began to receive targeted emails with threats of DDoS attacks, where this would be launched unless a ransom amount was paid. Richard Meeus, director of security technology and strategy at Akamai, said a small DDoS would be made against the company “to show that they [attackers] were serious, and then there was a threat of a 1Tbps attack if you didn’t pay.”

“Many extortion DDoS campaigns start as a threat letter, and never progress beyond that point,” Meeus said. “In contrast, this campaign has seen frequent ‘sample’ attacks that prove to the target that criminals have the capability to make life difficult.”

Whilst Akamai said many of the extortion emails end up caught by spam filters, not all targets are willing to admit they’ve received an email from the attackers

“This extortion DDoS campaign is not over,” Akamai said, “the criminals behind this campaign are changing and evolving their attacks in order to throw off defenders and the law enforcement agencies that are working to track them down.”

This campaign maxed out in August and September, “and it reached its peak, perhaps when the attackers believed they had been mitigated and began to start changing their tactics.” This included a move to use different layer three and four attacks, which are usually targeted at data centers, websites and APIs.

In addition, the last few months has been characterised by an uptick in attacks against web application firewalls. Speaking on a webinar last week, Richard Meeus, director of security technology and strategy at Akamai, said the company had seen the number of web application attacks per day in the UK alone increase from one million in January of this year to three million in September. “When we look at the specific data points, and look at the last two big spikes, they were both against financial services,” he said.

Meeus was quite surprised by this 200% increase in attacks against web application firewalls. Meanwhile, he described how the threat from ransom DDoS attacks continues to be prevalent, explaining, “DDoS attacks come in waves” and “ransom attacks have been going on for a number of years and we successfully take down the perpetrators, but they come back again as it is an extortion technique that works.”

What’s Hot on Infosecurity Magazine?