The European union’s law enforcement agency, Europol, has released its annual Internet Organised Crime Threat Assessment report, which offers an overview of the cyberthreat landscape in Europe. The report authors chose to focus on changes to the threat landscape over the past 12 months. Several trends were highlighted, but it’s noteworthy that at the very top of its list of “Key Threats” is this: “Ransomware affiliate programs enable a larger group of criminals to attack big corporations and public institutions by threatening them with multi-layered extortion methods such as DDoS attacks.” Ransomware combined with Distributed Denial of Service (DDoS) attacks has been an increasing problem over the past few years, and threat actors now seem to be launching such attacks more frequently than ever.
What are some of the factors driving this trend?
First of all, as this report states, the crime-as-a-service marketplace is growing on the Dark Web, and cybercriminals are increasingly using technology that can obfuscate their nefarious online activities. They are emboldened and enabled by both legitimate services, such as end-to-end encrypted communications and cryptocurrencies, as well as “grey infrastructure” that includes services such as bulletproof hosting, rogue cryptocurrency exchanges, and VPNs that offer safe havens for criminals.
Secondly, according to Europol’s report, ransomware attackers are taking advantage of the remote/telework conditions created by the Covid pandemic that has significantly increased their available attack surface. Cybercriminals are “scanning potential targets’ networks for insecure remote desktop protocol (RDP) connections and keeping a keen eye on disclosed virtual private network (VPN) vulnerabilities.”.
Thirdly, DDoS attacks continue to be relatively easy to launch, even for the technically uninitiated. The proliferation of DDoS-for-hire services continues to enable pretty much anyone with the motivation to launch damaging DDoS attacks, for just a few tens of dollars. And, the ease with which payments can be received with relative anonymity, via cryptocurrency payments, is ushering in a new era of have-a-go extortionists.
Last, but not least, cybercriminals in general are now primarily motivated to make money, rather than make political statements or create mayhem, and the combination of ransomware and DDoS for extortion is highly lucrative. Either type of attack on its own could disable an organization, but the combination of the two can hold an organization hostage, and make them “cry uncle” (i.e., submit to a ransom demand.) In a world that increasingly depends upon Internet connectivity to conduct any business, DDoS attacks alone are a huge threat to business continuity.
Who are the most likely future targets?
Europol has found that cybercriminals are strategic in who they target, in order to obtain the best profit and maximize their chances of evading law enforcement: “The use of traditional mass-distributed ransomware seems to be in decline and perpetrators are moving towards human-operated ransomware targeted at private companies, the healthcare and education sectors, critical infrastructure and governmental institutions. The shift in the attack paradigm indicates that ransomware operators choose their targets based on their financial capability to comply with higher ransom demands and their need to be able to resume their operations as quickly as possible.” However, the report adds that “many of the most infamous groups have reduced the attacks on governments and social services in an attempt to limit the attention of law enforcement on them. DDoS attacks have re-emerged and are targeting service providers, financial institutions and businesses.”
How can organizations defend against these attacks?
To do their job more effectively, the Europol agency seeks a variety of things, including greater international cooperation, more information sharing between public and private entities, and an increase in law enforcement staff who are well-trained and equipped to handle cybersecurity incidents.
Organizations have little or no control over law enforcement efforts, except to cooperate when an incident happens (we’ll write more about that in an upcoming blog post.) Therefore, it is incumbent upon the organizations themselves to make sure that they are not vulnerable to a DDoS attack, by having real-time, automated, always-on DDoS mitigation in place; this defense can virtually eliminate the risk of a combined ransom-DDoS threat. Unfortunately, defending against ransomware is a slightly more complex challenge, because cybercriminals have multiple methods of installing ransomware. Defending against ransomware requires human cyber hygiene (e.g., staff training to build awareness of phishing emails) as well as threat detection software and a strong firewall. (Bear in mind, that even a modest DDoS attack can bring a firewall to its knees.)
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.