Story image

Increase in DDoS extortion campaigns and hit-and-run assaults

By Shannon Williams, 03 Aug 2021

Blocked DDoS attack volumes were up more than 40% in the second quarter of 2021, according to a new report from cyber security firm Radware. 

The Q2 2021 DDoS Attack Report provides an overview of DDoS attack trends by industry, as well as across applications and attack types. 

The report found that on average, a company had to detect and block nearly 5000 malicious events and a volume of 2.3TB per month during the second quarter of 2021. 

During Q2 of 2021, the average number of blocked malicious events per company was up more than 30% and the average blocked volume per company increased by more than 40% compared to the second quarter of 2020. 

During the first half of 2021, a company located in the Americas or Europe, the Middle East and Africa (EMEA) had to repel, on average, twice as much volume compared to a company located in in Asia-Pacific. The Americas and EMEA accounted for about 80% of the blocked attack volume during that same period. 

"While large ransomware attacks are capturing headlines, companies need to pay attention to other cyber threats," says Pascal Geenens, director of threat intelligence for Radware. 

"From an increase in DDoS extortion campaigns and DDoS hit-and-run assaults, to a hactivist group targeting financial organisations in the Middle East, the second quarter saw a concerning amount of cyber activity compared to the activity levels we saw during the same quarter last year.

The results of this report should serve as a strong reminder to enterprises that no company is immune from being a target." 

According to Radware's report, the most attacked industry in the quarter was technology, with an average of almost 3000 attacks per company, followed by healthcare (2000 attacks per company) and finance (1350 attacks per company). Attacks in retail, communications and telecommunications averaged between 600 and 1000 per company.

Gaming averaged more than 400 attacks per company, while an average of approximately 280 attacks targeted government and utility organisations. 

In terms of blocked volume, retail endured the highest volumes in the second quarter, followed by gaming, telecommunications and technology, which blocked the second, third and fourth highest volumes respectively. 

Radware's attack report also revealed there were notable burst attacks during the second quarter of 2021. These targeted companies in finance and technology. 

These 'hit-and-run' DDoS assaults use repeated short bursts of high-volume attacks and were particularly aggressive in their amplitude (attack size) and frequency (number of bursts per unit of time). 

One attack showed multiple consistent 80Gbps bursts, lasting two to three minutes and repeating every four minutes. This resulted in 12 attack bursts of 80Gbps within a 45-minute timeframe. 

The second quarter saw a renewed DDoS extortion campaign by an actor posing as Fancy Lazarus. By the end of May, Radware had numerous emergency onboardings of its cloud security services from organisations that received these ransom letters. 

Ransom denial-of-service (RDoS) attacks, in which the victim receives a letter with a demand to pay a ransom or become the target of a DDoS attack, have been a persistent component of the DDoS threat landscape since August of 2020. 

During the second quarter of 2021, companies, on average, blocked almost 2000 scan events by unsolicited vulnerability scanners. 

According to the report, of those scans, 40% were performed by potentially malicious scanners looking to actively exploit known vulnerabilities and attack an organisation. Vulnerability scanners are automated tools that allow organisations to check if their networks and applications have security weaknesses that could expose them to attacks. 

"Organisations are being challenged by well organised threat actors," Geenens says. 

"The window between the disclosing and weaponising of new vulnerabilities is getting very slim. In some cases, we observed less than 24 hours between a manufacturer publishing a patch and malicious activity trying to exploit the vulnerability." 

Recent stories
More stories