This article is part of our Essential Guide: Cyberthreats, cyber vulnerabilities, and how to fight back

Ransom DDoS attacks on the rise

The use of distributed denial of service (DDoS) attacks to extort money from organisations is on the rise, warns security firm Kaspersky Lab

Using malware to encrypt data is not the only way cyber criminals are extorting money from organisations, the latest cyber security report from Kaspersky Lab security researchers reveals.

While the second quarter of 2017 saw the first global ransomware attack with WannaCry, the quarter also saw a rise in attackers extorting money under threat of distributed denial of service (DDoS) attacks.

In a typical ransom DDoS or RDoS attack, cyber criminals demand a ransom of 5 to 200 bitcoins and threaten a DDoS attack if no payment is received, the researchers said in a blog post.

“The victim is chosen carefully. Usually, the victim is a company which would suffer substantial losses if their resources are unavailable,” they wrote.

The ransom messages are often accompanied by short-term attacks which serve as demonstration of the attacker’s power.

However, some cyber criminals have adopted a less targeted approach to gain revenue quickly without much effort by sending out bulk DDoS threats demanding ransom, but without a demo attack.

“Paying the ransom would create a certain reputation for a company and provoke further attacks of other cyber criminal groups,” the researchers warn.

They also note that RDoS attacks are increasingly carried out by inexperienced individuals or groups, not co-ordinated professional hacker teams.

This means that many of these groups may not be able to follow up their demo attacks with any meaningful DDoS attack and victim organisations may be paying ransoms unnecessarily.

Botnet analysis shows growth of attacks

An analysis of botnets, which is just one method for carrying out DDoS attacks and does not represent every DDoS attack, revealed that 86 countries came under DDoS attack from April to June 2017, an increase of 19% compared with the first three months of the year.

Another trend revealed by the analysis is a return to long duration DDoS attacks, with one attack in China during the quarter lasting for 277 hours, which is just more than 11 days. This represents a 131% increase on the longest running attack seen in the first quarter.  

At the same time, the proportion of the attacks that lasted less than 50 hours remained practically unchanged at 99.7% in the second quarter compared with 99.8% in the first quarter.

In terms of geographic location, almost half (47.42%) of the DDoS attacks were aimed at the targets in China. Other countries in the top 10 most affected by DDoS attacks in the second quarter were South Korea, the US, Hong Kong, the UK, Russia, Italy, the Netherlands, Canada, and France.

Targeted organisations included international news agencies such as Al Jazeera, Le Monde and Figaro, as well as the largest Bitcoin exchange Bitfinex.

Automate networks now, says expert

Malcolm Murphy, technology director for Western Europe at security firm Infoblox, said DDoS attacks are extremely common and can be catastrophic to a business.

“The reality is that, as a critical piece of business infrastructure, DNS [domain name system] will always be a prime target for hackers and many organisations are still leaving their networks vulnerable to attack.”

Businesses are increasingly dependent on their networks, said Murphy. “As these networks become bigger and more complex, the number of potential vulnerabilities are skyrocketing and, while there is no easy solution to securing DNS, there are a few steps that can help mitigate and respond to DNS-based DDoS attacks,” he said.

According to Murphy, all organisations urgently need to automate their network management to gain full visibility. “With such a rapidly changing threat landscape it may not always be clear what an attack looks like, but anomalies in DNS queries will be more easily identifiable,” he said.

A turning point

In May 2017, Neustar warned that DNS should be at the core of information security strategies as DDoS attacks increasingly form part of wider cyber attacks and continue to ramp up to unprecedented levels.

A DDoS attack can cost an organisation more than $2.5m in revenue on average, according to the company’s May 2017 DDoS and cyber security insights report.

Globally and in the Europe, Middle East and Africa (Emea) region, 43% of the more than 1,000 infosec professionals polled said more than $250,000 of revenue an hour was at risk, while UK retailers said DDoS attacks typically put $100,000 to $250,000 revenue an hour at risk, the report said.  

In January 2017, a Deloitte report said the proliferation of IoT devices and IoT exploit kits may make 2017 a turning point in DDoS attacks requiring new defence tactics.

The report predicted that 2017 will see an average of one attack a month reaching at least 1Tbps in size, with the number of DDoS attacks for the year expected to reach 10 million.

The report ascribed the anticipated escalation to the growing installed base of insecure internet of things (IoT) devices that are easy to incorporate into botnets; the online availability of malware methodologies such as Mirai that allow relatively unskilled attackers to corral insecure IoT devices and use them to launch attacks; and the availability of ever-higher bandwidth speeds.

Read more about DDoS attacks

  • Criminal activity has become the top motivation for DDoS attacks, as the average attack becomes strong enough to down most businesses – so taking no action is not an option.
  • Average DDoS attacks fatal to most businesses, report reveals.
  • There is a real concern that many companies are being affected by the DDoS attacks commissioned by competitors, according to Kaspersky Lab.
  • Smaller DDoS attacks can be more dangerous than a powerful attack that knocks a company offline but does not install malware or steal data, warns Neustar.

Read more on Hackers and cybercrime prevention