Ransomware just won’t go away. With each passing year, we get new families and new improvements, along with a growing pile of victims who had their data and systems held hostage.
It bucks many of the trends that other malware families thrive off. In fact, the key to ransomware’s success is its simplicity. It’s not trying to be quiet or graceful – it just locks up systems and demands money to unlock them.
It’s that simplicity that has made ransomware one of the top threats to the enterprise today. In 2016, there was a ransomware attack every 40 seconds; by 2019, that was once every 14 seconds. Cybersecurity Ventures have predicted that, in 2021, this will increase to one every 11 seconds.
DDoS has run side by side with ransom activity for a long time. In many cases, cyber-criminals would hit networks with overwhelming attacks, crippling their operations and then offer their victims respite for cash. In 2015, a group called the Armada Collective unleashed crippling DDoS attacks on three different Greek banks and demanded a ransom of 200,000 bitcoins, equal to $7.2m at 2015 prices.
Most recently, the Lazarus group shook down a major Fortune Global 500 company, DDoSing them and demanding 20 bitcoin. They threatened an even larger DDoS attack and a larger ransom of 30 bitcoins if they did not pay soon. As far back as 2018, Corero research found that 70% of organizations had experienced ransom-driven DDoS.
In the past few years, ransomware gangs have also used DDoS as a distraction to obscure the infiltration of malware. These attacks are generally low volume and typically last under five minutes – all the time an adversary needs to slip its malware into the system.
Throughout 2020, industry commentators highlighted the fact that ransomware gangs were using DDoS attacks to intensify their campaigns. And, several groups have come to light in recent months, using this very tactic.
The Avaddon group, for example, has notably used this tactic as a way to drag their victims back to the negotiation table. In one case, the victims were largely unperturbed by their ransomware attack, so Avaddon also hit their site with a DDoS attack. As the group noted on their website: “their site is currently under DDoS attack, we will attack it until they contact us.”
In October 2020, a SunCrypt ransomware attack was quickly followed by a DDoS attack. As the gang stated in their interactions with the victim, the DDoS attack was a means to force them back to the negotiation table. Disclosed transcripts of their conversations show the attacker stated: “we were in the process on the negotiations and you didn’t show up so further actions were taken.” When negotiations resumed, the assailants turned off the ransomware attack.
There are a number of potential reasons for this new development. Firstly, it's a great way to pile pressure on a victim who doesn't want to pay. Secondly, enterprises are now well aware of ransomware and the countermeasures they can use to protect against it. A well-placed DDoS attack on an enterprise’s backend could potentially stall remediation efforts. To boot, DDoS attacks are cheap – sometimes as little as $10 per hour – and don’t require a great level of expertise to pull off, making them an easy option for kicking a ransomware victim when they’re down.
Of course, whatever the new developments in cyber-criminality, DDoS and Ransomware attacks lead to the same thing: Downtime. Research shows that the average cost of downtime in 2019 was between $300,000 and $400,000 an hour. That’s perhaps why so many victims are willing to pay ransoms that are often still cheaper than a few hours of lost business – as high as they might run.