SecurityBrief New Zealand logo
Story image

DDoS ransom attacks flare up again after brief hiatus

25 Jan 2021

DDoS ransom attackers have been anything but silent after major disruption in August 2020, with activity spiking again in the last week of December and the first week of January 2021.

According to security firm Radware, some of its customers were targeted by a fresh wave of ransom demands as part of another global round of attacks.

In August 2020, the first wave of attacks targeted organisations including New Zealand’s NZX stock exchange, as well as other firms around the world.

The attacks first begin with letters demanding targets pay a ransom in cryptocurrency or face the threat of massive distributed denial of service (DDoS) attacks, the likes of which could pull their internet-facing services offline and create major havoc. 

Radware says that the second wave of attacks in December and January targeted organisations that were hit the first time and did not respond or pay the ransom. Target organisations were also not named in the media.

The ransom demand begins with: "Maybe you forgot us, but we didn't forget you. We were busy working on more profitable projects, but now we are back."

"We asked for 10 bitcoin to be paid at <bitcoin address> to avoid getting your whole network DDoSed. It's a long time overdue and we did not receive payment. Why? What is wrong? Do you think you can mitigate our attacks? Do you think that it was a prank or that we will just give up? In any case, you are wrong."

According to Radware, the rising price of cryptocurrency such as Bitcoin means that organisations that give in and pay the ransom could lose around $300,000 for a 10 Bitcoin ransom.

The attackers understand this market dynamic and write, "We will be kind and will not increase your fee. Actually, since the Bitcoin price went up for over 100% since the last time we will temporarily decrease the fee to 5 BTC! Temporarily."

Radware strongly advises not to pay the ransom because there is no guarantee that it will stop the attackers coming back, and no guarantee they won’t conduct a DDoS attack anyway.

Target organisations were hit with attacks in excess of 200Gbps and lasted for more than nine hours. These attacks came from UDP Port 80, UDP fragments, and DNS traffic.

Radware states that there is a shift in DDoS attack tactics as attackers go after the same organisations for a second time.  Furthermore, it also indicates that the group has either been successful during their first wave or have financial resources to be able to continue their attacks to such a size and duration.

Radware recommends that organisations seek DDoS protection that includes on-premise and cloud DDoS protection.

Behaviour-based detection, real-time signature creation, intelligence on threat actors, and network protection are also extremely important. 

Organisations should also have a cybersecurity response plan that deals with events such as DDoS attacks.