Long-lasting DDoS attacks are back in business, according to an IT security product company. The longest attack in the quarter was active for 277 hours; more than 11 days, a 131 per cent increase compared to the first quarter of the year. This is so far a record for the year, says the Q2 2017 botnet DDoS report from Kaspersky Lab.
Duration was not the only feature of the DDoS attacks between April and June. The geography of incidents has also seen a change with organisations with online resources in 86 countries targeted in the second quarter (compared to 72 in the quarter before). The most affected countries were China, South Korea, USA, Hong Kong, UK, Russia, Italy, the Netherlands, Canada and France — with Italy and the Netherlands replacing Vietnam and Denmark that were among the top targets in the previous quarter.
Targets of DDoS attacks included one of the largest news agencies, Al Jazeera, Le Monde and Figaro newspaper websites and, reportedly, Skype servers. In the second quarter of 2017, an increase in crypto-currencies rates also led to cyber-criminals trying to manipulate prices through DDoS. Bitfinex, the largest Bitcoin trading exchange, was attacked simultaneously with the launch of trading in a new crypto-currency called IOTA token. Earlier, the BTC-E exchange reported a slowdown due to a powerful DDoS attack.
The interest of DDoS attack organisers in cash goes beyond manipulating crypto-currency rates. Using this type of attack to extort money can be beneficial as trends in Ransom DDoS or RDoS demonstrate. Cybercriminals usually send a message to the victim demanding a ransom that ranges from five to 200 bitcoins. If the company refuses to pay, attackers threaten to organise a DDoS attack on a critically important online victim resource. Such messages can be accompanied by short-term DDoS attacks to confirm the threats are very real. At the end of June, a large-scale RDoS attempt was made by the group called Armada Collective, who demanded about $315,000 from seven South Korean banks.
However, there is always another way; ransom DDoS with no DDoS. Fraudsters send out threatening messages to companies in the hope that someone will decide to be better safe than sorry. Demonstrations of attacks may never happen, but if just one company decides to pay, that brings profit with minimal effort from the cybercriminals.
Kirill Ilganaev, Head of Kaspersky DDoS Protection at Kaspersky Lab said: “Nowadays, it’s not just experienced teams of hi-tech cybercriminals that can be Ransom DDoS-attackers. Any fraudster who doesn’t even have the technical knowledge or skill to organise a full-scale DDoS attack can purchase a demonstrative attack for the purpose of extortion. These people are mostly picking unsavvy companies that don’t protect their resources from DDoS in any way and therefore, can be easily convinced to pay ransom with a simple demonstration.”
Kaspersky Lab warns that if a victim company decides to pay, it may bring long-term damage besides monetary cost. A ‘payer’ reputation spreads fast.
Comment
Dr Malcolm Murphy, Technology Director for Western Europe at Infoblox, said: “This news does not come as a surprise; DDoS attacks are extremely common and can be catastrophic to a business. The reality is that, as a critical piece of business infrastructure, DNS will always be a prime target for hackers and many organisations are still leaving their networks vulnerable to attack. Businesses are increasingly dependent on their networks. As these networks become bigger and more complex, the number of potential vulnerabilities are skyrocketing and, whilst there is no easy solution to securing DNS, there are a few steps that can help mitigate and respond to DNS-based DDoS attacks.
“All organisations urgently need to automate their network management in order to gain full visibility – with such a rapidly changing threat landscape it may not always be clear what an attack looks like, but anomalies in DNS queries will be more easily identifiable.”
