As many organisations around the world are being plagued by distributed denial of service (DDoS) attacks, some security firms and analysts are doing their best to untangle the attack web to find out who is behind the attacks.
In a bulletin that went out overnight from security firm Radware, those behind the attacks appear to be posing as well-known advanced persistent threat (APT) groups such as Fancy Bear, the Armada Collective, and the Lazarus Group.
This backs up initial research from Akamai, which states that Fancy Bear and the Armada Collective may be behind the campaign. However, it is not totally clear if the groups are responsible for the attacks and it may be another threat group imitating well-known threat groups in order to make their attacks seem more threatening.
The global DDoS campaign is targeting thousands of organisations including internet service providers, finance companies, travel agencies, and companies in eCommerce.
The attackers target organisations by sending emails that contain sensitive information about specific IP addresses or autonomous system numbers (ASN)s they will hit if the victims don't cooperate.
The attackers then demand a ransom fee of 10 Bitcoin (NZ$16,792), however, some ransom demands have reached up to 20 Bitcoin (NZ$335,839).
If targeted organisations do not make the payment, attackers threaten to conduct DDoS attacks of up to 2 terabits per second (2Tbps), through most attacks so far have ranged between 50Gbps to 200Gbps. The ransom demand also increased by 10 Bitcoin as each deadline passes without a ransom payment.
Radware says that it has seen evidence that the attackers will follow up on their initial ransom demand. They often cite examples of other attacks so that targets can search for other recent disruptions. The attackers then ask, "You don't want to be like them, do you?"
If targets refuse to pay the ransom demand, the attackers will often launch DDoS attacks using a variety of methods including UDP and UDP-Frag floods, WS-Discovery amplification, and TCP SYN, TCP out-of-state, and ICMP Floods.
Akamai notes that the campaign is similar to one conducted in 2019 by a threat group appearing to imitate the APT Group called Cozy Bear.
Radware states that it is important that any organisation that receives a ransom demand should take the matter seriously, as attackers will more than likely follow through with DDoS attacks.
However, organisations should not pay the ransom demand and the DDoS attacks can be mitigated if the right protection is in place.
"These attacks are not at a level of complexity/amplitude that prevent mitigation if the right protection is in place. Radware has seen faster and better mitigation by leveraging hybrid always-on protection compared to asymmetric routed cloud protections," the company states.
Akamai also urges targeted firms not to pay the ransom.
"We still believe that the actors conducting these extortion attacks are looking for a quick payout, with as little effort as possible on their part," Akamai states.
Organisations should ensure they have:
- Hybrid DDoS protection for on-premise and cloud environments. This protection must be able to defend against high volume attacks and pipe saturation
- Behavioural-based detection. This blocks anomalies and lets genuine traffic through
- Real-time signature creation to protect from known and unknown threats, including zero-day attacks
- A security emergency response plan. This helps to deal with security incidents
- An intelligence feed that details threats. This data can help to protect against active and known attackers.