The State of Ransom DDoS

  Ransom distributed denial of service (RDoS), also known as DDoS-for-ransom, attacks involve threat actors launching DDoS attacks against a target and demanding a ransom payment to stop or mitigate the attack. The primary goal of these attacks isn’t to disrupt the target’s online services by overwhelming their systems with a flood of traffic but to extort money with threat of doing this.  The first major reported RDoS was against ProtonMail, a popular Switzerland-based provider of encrypted email services, in November 2015. The threat actors sent the company a message threatening to  flood the service with traffic it couldn’t handle unless they paid up. To prove they weren’t bluffing, they did a test incursion that made the service inaccessible for about 15 minutes. Since then, ransom DDoS attacks have only proliferated and become more severe.  Let’s look at some of the more recent ransom DDoS activity and what it means for your company’s protection.

Ransom DDoS Tactics

Typical ransom DDoS attacks employ certain tactics, including:

Threatening Messages

Extortion groups typically send threatening emails or messages to the target, warning them of an impending DDoS attack. The message often includes a demand for payment in cryptocurrency.

Demonstration Attacks

As in the aforementioned ProtonMail attack, groups often launch small-scale demonstration attacks to prove their capabilities and convince the target that they have the means to carry out a more significant and disruptive attack.

Demand of Crypto Payment

Extortionists commonly demand payment in Bitcoin or other cryptocurrencies due to the relative anonymity and difficulty in tracing transactions.

The Evolution of Ransom DDoS Tactics

Ransom DDoS attacks have evolved over time as threat actors adapt their tactics. It’s basically a chess match: organizations wise up to a certain type of attack, the cyber criminal change their strategy, and each player continues to make moves until the queen is captured and the king cornered. Checkmate.  To win the game, organizations need to stay informed about the latest developments in DDoS extortion strategies. Let’s quickly look at how ransom DDoS tactics are evolving. 

Increased Sophistication

Some recent DDoS attacks have demonstrated increased sophistication, using techniques like amplification attacks and leveraging botnets with diverse attack vectors.

Target Diversity

Gaming networks and financial institutions have been the most common targets, historically, for ransom DDoS attacks, but recent trends indicate a broader range of industries being targeted, including online services, e-commerce, and critical infrastructure.

Legal and Law Enforcement Responses

Governments and law enforcement agencies around the world have been taking steps to combat ransom DDoS attacks. Legal consequences and international cooperation efforts are ongoing to apprehend and prosecute individuals involved in such cybercrimes.

Recently Active Ransom DDoS Extortion Groups

Here’s a snapshot of recently active ransom DDoS extortion groups: 

DD4BC (DDoS for Bitcoin)

This group gained notoriety for targeting various organizations with DDoS attacks and demanding payment in Bitcoin. DD4BC is known for sending ransom letters threatening more severe attacks if payment is not made.

The Armada Collective

The group responsible for the first-ever major reported ransom DDoS attack against ProtonMail, the Armada Collective, is one of the most active and feared ransom DDoS attack groups. While some groups claiming to be Armada Collective are involved in actual attacks, others use the name for extortion attempts without launching significant DDoS attacks. 

The Lizard Squad

Initially known for launching DDoS attacks against gaming networks, Lizard Squad later shifted to extortion, threatening companies with DDoS attacks unless they paid a ransom.

Conclusion

Whether it’s DD4BC, the Armada Collective, or the Lizard Squad, the best thing any company wary of ransom DDoS attacks can do is already have a system in place that helps them proactively mitigate DDoS attacks before they can do damage. Schedule time with one of our experts to learn how we can help.