Denial of Service Attacks are Returning to use for Extortion

Ransomware has taken the scene again in the Cybercrime ecosystem that has caused over one billion dollars in the last year worth of losses for companies.

Ransomware has taken the scene again in the Cybercrime ecosystem. It has caused over one billion dollars in the last year worth of losses for companies. At the exact same time, distributed denial of service attacks (DDoS) attacks – which was the main go to for a good few years to extort businesses – are returning in strong force again. Ransomware groups are even using them to put even more pressure on their victims to pay their extortion fees.

According to several annual reports by different Content Delivery Network providers and people who mitigate DDoS attacks, the 2020 year was record breaking year for DDoS attacks. This is both in number of attacks as well as the size of the attacks – including the attack vectors that were used. The renewal of popularity with DDoS attacks was partially driven by the COVID-19 pandemic – which has forced the majority of companies to go to remote working capabilities for their employees. This has made them more vulnerable to disruptions of operations in their businesses, which in turn could make them way more likely to pay the extortion fees to stop the attacks.

This trend is even continuing into the first half of this year now. Akamai has seen three of six of the biggest DDoS attacks in history during February alone with attacks exceeding 50Gbps in the first three months. The company is estimating that attacks that are over 50Gbps can take most services offline that do not have anti-distributed denial of service mitigation due to the bandwidth being saturated.

Return of the Distributed Denial of Service Attacks

Motives of people using DDoS attacks can highly vary depending on the goals which people want to achieve that uses them. These people can range from business owners wanting to disrupt their competitors, hacktivists wanting to send a message, or simple vandalism between two rivals.

[ Something else worth reading: Hacktivism: Social Justice through Data Leaks and Defacements ]

Extortion is one of the biggest tactics by hackers and cybercriminals because of how profitable it can be. This is also due to how cheap of an investment it is to launch a DDoS attack against people to cripple business operations. Denial of Service Services are people who run a service where you can hire them to DDOS attack your target, and they can run as cheap as seven dollars an attack, which makes it affordable to practically anyone and realistically everyone who wants to perform a DDoS attack.

According to the performance monitoring for applications and network from NetScout Systems, Cybercriminals are demonstrating their DDoS capabilities to people for them to become their customers is most likely the number one reason for such attacks. Other reasons are followed by online gaming – due to people staying home due to the pandemic – and flat out extortion. Attackers can also use  their DDoS attacks as cover for Informational Technology and Security Teams from detecting other malicious activities that could be happening on their networks. This could also include infrastructure compromises and data leaks.

The cases of ransom DDoS incidents have spiked dramatically beginning last year in August – due to several ransomware groups adopting DDoS as an additional extortion technique. This is also due to campaigns launched by one particular gang that is impersonating another threat actor – including such as Fancy Bear (Russia) or Lazarus Group (North Korea). The group which is named as the Lazarus Bear Armada (LBA), launched a demonstration DDoS attacks that range between 50 to 300Gbps. They also sent an extortion email claiming to have 2Tbps of DDoS capability – which they also demanded payment in Bitcoin. In the emails the attackers claim to be affiliated with groups whose names are in media reports to boost the group's credibility. In many cases the group doesn't follow up with additional attacks if the ransom is not paid – but there was a few cases where they did. After a while they target the previous victims again.

The usual targets from the group tend to be from the financial, retail, travel, and e-commerce sectors from around the world. This also means that they tend to research their targets before performing an attack. They usually identify non-generic email addresses that the victim organizations are likely to monitor and they target critical yet non-obvious applications. This includes virtual private networks (VPN) concentrators, indicating an advanced level of planning. The group's activities have prompted alerts by multiple security vendors and the FBI.

Unlike groups like LBA that rely only on RDDoS to extort money from organizations, ransomware gangs use DDoS as an additional leverage to convince victims to pay the original ransom, much in the same way they use data leak threats. In other words, some ransomware attacks are now a triple threat that combine file-encryption, data theft, and DDoS attacks. Some of the ransomware gangs known to use or claim to use DDoS attacks in this way include Avaddon, SunCrypt, Ragnar Locker and REvil.

Just like with ransomware, it's hard to say how many victims of RDDoS actually pay the ransom, but the fact that the number, size, and frequency of these attacks is on the rise suggests the activity is profitable enough. This might be because it has a lower barrier to entry than ransomware itself due to the widespread availability of DDoS-for-hire services whose use doesn't require a lot of technical knowledge.

CloudFlare said in a recent report.

In 2021 Q1, 13% of surveyed CloudFlare customers that were hit by a DDoS attack reported they were either extorted by an RDDoS attack or received a threat in advance.

Akamai observed a 57% increase in the number of unique organizations being attacked year over year and NetScout reported that the number of DDoS attacks per year exceeded the 10 million threshold for the first time.

Akamai Researchers said last month in a report.

Clinging to the hope of a major Bitcoin payout, criminal actors have started to ramp up their efforts and their attack bandwidth, which puts to rest any notion that DDoS extortion was old news.

The most recent extortion attack — peaking at more than 800Gbps and targeting a European gambling company — was the biggest and most complex we’ve seen since the widespread return of extortion attacks that kicked off in mid-August 2020. Since the start of the campaign, show-of-force attacks have grown from 200+ Gbps in August to 500+ Gbps by mid-September, then ballooned to 800+ Gbps by February 2021.

Attack Complexity Increases

According to Akamai, two-thirds of DDoS attacks that was observed last year included multiple vectors– some even including as many as 14 different vectors. NetScout also reported a sharp rise in multi-vector attacks. This was especially toward the end of 2020 and across attacks that exceeded 15 different vectors. The company saw a few attacks that were up to 25 different vectors.

DDoS reflection and amplification that is achieved by abusing multiple UDP-based protocols remains very popular. This technique involves attackers sending packets to poorly protected servers on the internet with a spoofed source IP address to force those servers to send their responses to the intended victim instead of back to the attackers. This achieves two goals: reflection, because the victim doesn't see the traffic coming from legitimate servers instead of the attacker's bots, and amplification, because some protocols can be abused to generate larger responses to short queries, amplifying the size or frequency of the packets the attackers can trigger. The size of DDoS attacks is calculated in traffic volume per second, which can saturate bandwidth, and packets per second, which can saturate a server's processing power.

Some of the most popular DDoS vector in 2020 and for a good few years now are DNS amplifications. Other notable protocols that used for amplification include Network Time Protocol (NTP), Connection-less Lightweight Directory Access Protocol (CLDAP), Simple Service Discovery Protocol (SSDP) and Web Services Discovery (WSD or WS-DD), Remote Desktop Protocol (RDP) over UDP and Datagram Transport Layer Security (DTLS).

Attackers are always on the lookout  for new attack vectors and protocols to abuse that could bypass existing defenses and mitigation strategies that are industry practice. Around mid-March, Akamai started seeing a new attack vector who relies on the Datagram Congestion Control Protocol (DCCP). This network data transmission protocol which is similar to UDP, but with additional congestion and flow control capabilities that UDP doesn't have. The attacks which were seen so far by Akamai were the usual floods intended to bypass UDP and TCP-based mitigations.

NetScout researchers said the following:

Abusable open-source and commercial applications and services based on UDP remained a valuable asset for attackers, who mined them to discover new reflection/amplification DDoS attack vectors to power a new wave of attacks.

Other DDoS vectors that were common last year according to NetScout were TCP ACK, TCP SYN, ICMP, TCP reset, TCP ACK/SYN amplification and DNS floods.