Font Size: A A A


Doubling down on ransomware extortion

There’s a rising tide of cyber extortion, says Sanjay Radia, Chief Solutions Architect at the network management analytics product company NETSCOUT.

Last year heralded a genuine, palpable shift in the volume and intensity of cybercriminal activity. The upheaval caused by the ongoing pandemic has affected every level of our society, with businesses and the general public focusing their efforts on adapting to a dramatically different and rapidly changing world. And of course, bad actors were poised to take advantage.

Although upticks were seen across the gamut of cybercriminal activities, DDoS and ransomware were the two threats that arguably saw the most significant rise and subsequently most attention. Just last month, our researchers revealed that in 2020, and for the first time in history, they had observed more than 10 million (10,089,687 to be precise) DDoS attacks in a single year. That’s nearly 1.6 million more attacks than they observed in 2019.

Similarly, ransomware accounted for over a third of all cyber incidents going into Q4 2020, according to risk consulting firm Kroll. Are we seeing a new trend in DDoS extortion?

When it comes to DDoS extortion, our researchers have seen techniques evolve across global DDoS campaigns during the last year. In mid-August 2020, a threat actor our researchers dubbed Lazarus Bear Armada (LBA), due to its propensity to claim affiliation with the well-known Lazarus Group, Fancy Bear and Armada Collective, initiated a global campaign of DDoS extortion attacks. These were largely directed towards regional financial and travel-industry targets such as regional banks, stock exchanges, travel agencies, currency exchanges, and, in some cases, their upstream internet transit providers.

Usually, in these kinds of campaigns the attackers will launch a small-scale DDoS attack at a target – as a warm up act – and then send an extortion email threatening a far larger attack if demands (usually Bitcoin payment) are not met. In most cases, even if the demands aren’t met, the attackers simply move on to a new target without any larger DDoS attack ever materialising, however, in this case some very real attacks have taken place.

Beyond this key difference, what is novel with LBA is the follow-up approach this group now appears to be taking. As of late December, our ASERT team is seeing LBA return, weeks or months later, to earlier targets that have refused to pay the extortion demands and have successfully mitigated the initial DDoS attacks. In these cases, the attacker sends a new extortion demand – sometimes sent in the public domain – which cites the previous demand, and typically accompanies a new wave of DDoS attacks.

In the case of LBA, at least currently, the follow-up attacks are no more sophisticated, so any organisation which fended off the first wave is likely to do so again. What is more of a concern is the behaviour itself, and whether this repeated targeting of the same organisations becomes the norm in these kinds of attack campaigns.

In 2020 double extortion ransomware attacks came to the fore, aiming to maximise pressure on victims to pay demands by threatening to leak sensitive or proprietary data, as well as locking it away. These double extortion ransomware attacks were first seen in late 2019, and were the modus operandi of the Maze group last year. Although the Maze group has allegedly disbanded, the broad adoption of this techniques makes it likely that this kind of attack will continue throughout 2021. Recent research from Acronis revealed that during 2020 1,000 companies had their data leaked after refusing to give in to ransomware demands.
Similarities, differences and how to protect your organisation

It’s clear that 2020 presented some very significant and un-expected challenges to IT and security professionals, organisations and service providers, and these challenges aren’t going to go away just because we’ve ticked over into 2021. Although ransomware and DDoS extortion attacks are different in many ways, they do share some key similarities.

Firstly, both threats impact availability according to Mitre. When it comes to DDoS, bad actors can target the network, infrastructure or application to degrade or block the availability of services or resources to users. Ransomware attackers, however, encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

Secondly, both have a very low bar to entry. For ransomware, interested parties can easily access affiliate programmes to buy multiple ransomware malware families, each with publicly available source code. For budding DDoS attackers it’s similarly easy to get in at the ground floor, as DDoS-for-Hire and Booter/Stresser Services are inexpensive and readily available.

Finally, both flavours of cybercriminal are looking for unprepared targets. With ransomware, adversaries take advantage of organisations that lack adequate end-point protection, data backup, network segmentation, and recovery programs. DDoS attackers, on the other hand, want to find companies with an inadequate DDoS protection plan.

One big difference though lies in an organisation’s ability to control its own fate. If ransomware attackers are successful at infiltrating an organisation there’s not much a company can do once infected – apart from going through the painful process of restoring their systems, if they can.

DDoS though is a well understood threat, and appropriate defences can successfully prevent the availability of services being affected. Companies that use specialised DDoS protection products have control of their fate.

Fundamentally, in today’s ever-changing world, it is imperative that defenders and security professionals protect the availability of services from the escalating threats they face, especially given the increased reliance we all have on Internet services in both our business and personal lives.


Related News