Ransomware takes center stage in the cybercriminal ecosystem, causing $1 billion+ in global losses last year alone and generating hundreds of millions of dollars in profits for cybercriminals. At the same time, distributed denial of service (DDoS) attacks, traditionally used to blackmail businesses, are making a comeback. Ransomware groups even use DDoS attacks to increase the pressure on victims to pay the ransom.
According to recent annual reports from multiple content delivery networks and DDoS mitigation providers, 2020 was a record-breaking year for DDoS attacks, with record numbers of attacks, scale of attacks, and number of attack methods used. The resurgence of DDoS ransomware may be driven by the COVID-19 pandemic, which has forced companies to enable remote working for most of their employees, leaving companies more vulnerable to business disruptions and more willing targets for attackers to pay extortion fees .
2021 continues this trend. In February, Akamai recorded three of the six largest DDoS attacks in history, and the number of DDoS attacks over 50Gbps in the first three months of 2021 is already higher than in all of 2019. Akamai estimates that the vast majority of online services without DDoS mitigation measures will be dropped due to bandwidth saturation when they encounter attacks above 50Gbps.
DDoS ransomware returns
The motivations behind DDoS attacks vary: from unscrupulous business owners wanting to disrupt the services of competitors, to aggressive hackers wanting to make a case for groups they oppose, to mere acts of sabotage caused by competition between different groups . However, extortion has been the biggest and arguably the most lucrative factor driving this type of illicit activity, since DDoS attacks really don’t require much investment. DDoS rental services can even cost as little as $7 per attack, making it affordable for almost anyone.
In fact, data from application and network performance monitoring firm Netscout Systems shows that demonstrating their DDoS capabilities to potential customers is the number one motive for such attacks, followed by online gaming-related motives (which many have relied on during the pandemic) time) and then blackmail. Attackers also often use DDoS attacks as a camouflage, leaving corporate IT and security teams too busy to detect other malicious activity on their networks, such as infrastructure intrusions and data exfiltration.
A surge in Ransomware DDoS (RDDoS) incidents began in August 2020 as multiple ransomware gangs used DDoS as an additional ransom technique, but also partly because of a cybercriminal gang disguised as Russian Fancy Bear Or hacker national teams such as North Korea’s Lazarus Group launched an attack. The cybercriminal gang, named Lazarus Bear Armada (LBA), first launched a wave of demonstrative DDoS attacks ranging from 50Gbps to 300Gbps against selected targets. The gang then sent extortion emails claiming to have the capability of a 2Tbps DDoS attack in order to extort the targeted company to pay in Bitcoin. In the emails, the attackers boosted their credibility by claiming to be affiliated with several prominent cybercriminal groups that are commonly seen in the news. In many cases, the gang didn’t go on to launch more attacks even if the target company didn’t pay the ransom, but sometimes it did. And, after a while, they’ll come back and take another bite of the previous victim.
The gang mainly targets businesses in the financial, retail, travel and e-commerce industries around the world, and appears to also be doing scouting and planning. They identify non-generic email addresses that victim companies may monitor, and target critical but less obvious apps, services, and VPN hubs, indicating an advanced level of planning. Several security vendors and the FBI have issued alerts about the gang’s activities.
Unlike gangs such as the LBA, which rely solely on RDDoS to extort money from businesses, ransomware criminal organizations use DDoS as an extra leverage to convince victims to pay the original ransom, in the same way that they use data breaches as a threat. In other words, some ransomware attacks have now evolved into a triple threat that combines encryption, data theft, and DDoS attacks. Some of the ransomware gangs that use or claim to use DDoS attacks in this way include Avaddon, SunCrypt, Ragnar Locker, and REvil.
Similar to the case of ransomware attacks, it’s difficult to say exactly how many RDDoS victims paid the ransom, but the fact that the number, scale, and frequency of such attacks has been increasing makes the campaign profitable enough. This may be because DDoS rental services are ubiquitous and do not require a lot of technical knowledge, resulting in a much lower barrier to entry than ransomware itself. “In Q1 2021, 13% of surveyed Cloudflare customers who experienced a DDoS attack said they were extorted by an RDDoS attack, or received an early threat,” Cloudflare wrote in a recent report.
Akamai observed a 57% increase in the number of companies attacked compared to the same period last year; Netscout reported that the number of annual DDoS attacks exceeded the threshold of 10 million for the first time.
Last month, Akamai researchers said in a report: “Holding on to the hope of garnering huge bitcoin payments, cybercriminals have begun to ramp up their efforts and expand the bandwidth of their attacks, dispelling the notion that DDoS ransomware is a thing of the past.” The ransomware attack peaked at over 800Gbps and targeted a European gambling company, the largest and most sophisticated we’ve seen since the widespread return of ransomware attacks in mid-August 2020. Since that attack, show-of-force attacks have grown from 200+Gbps in August to 500+Gbps in mid-September, before ballooning to 800+Gbps in February 2021. “
The addition of new attack methods leads to increased attack complexity
Akamai revealed that nearly two-thirds of the DDoS attacks observed last year included multiple attack methods, with some as many as 14. Netscout also reported a significant rise in multi-method attacks, especially in late 2020, and attacks with more than 15 different methods. The company observed attacks that used a combination of 25 different methods.
DDoS reflection and amplification attacks that abuse multiple UDP-like protocols are still very popular. In this attack technique, the attacker sends packets with a fake source IP address to poorly protected servers on the Internet, forcing those servers to send replies to the intended victim rather than the attacker himself. This serves two purposes: one is reflection, because the victim sees traffic from legitimate servers, not the attacker’s bot, and the other is amplification, because attackers can abuse certain protocols to generate short queries Larger reply packets, amplifying the size or frequency of packets that an attacker can trigger. The size of a DDoS attack can be calculated in two ways: by the amount of traffic per second that can saturate the bandwidth, or by the number of packets per second that can saturate the processing power of the server.
The most common DDoS attack methods in 2020, in line with past years, are DNS amplification attacks. Other protocols commonly used in amplification attacks include Network Time Protocol (NTP), Connectionless Lightweight Directory Access Protocol (CLDAP), Simple Service Discovery Protocol (SSDP) and Web Service Discovery (WDS or WS-DD), UDP-based Remote Desktop Protocol (RDP) and Datagram Transport Layer Security (DTLS).
Attackers often look for new attack methods and protocols that can bypass existing defenses and mitigation strategies. In March, Akamai first observed a new attack method relying on the Datagram Congestion Control Protocol (DCCP). The Datagram Congestion Control Protocol is a network data transmission protocol similar to UDP, but with congestion and flow control functions that UDP lacks. Such attacks observed by Akamai so far are typical of traffic floods designed to bypass UDP and TCP-based mitigations. The protocol can also technically be used for reflection and amplification attack scenarios, but there are not many servers on the Internet using the protocol enough to abuse it to reflect traffic.
Netscout researchers concluded: “Abusable UDP open source and commercial applications and services are a valuable asset to attackers who mine such assets to discover new reflection/amplification DDoS attack methods, driving a new wave of attacks. “Such examples include the SSDP implementation of Plex Media Server, and the UDP network discovery protocol used by the Jenkins software development automation server.
Other DDoS attack methods that were common in the last year included TCP ACK, TCP SYN, TCP reset, TCP ACK/SYN amplification, and DNS floods, according to Netscout.
DDoS botnets trap IoT and mobile devices
Botnets of compromised devices and servers are the driving force behind DDoS attacks. Mirai malware variants that infect network devices are still prominently featured in mainstream DDoS botnets in 2020. These devices are often compromised by attackers with weak or default credentials, and Netscout’s observations show a 42% increase in Telnet and Secure Shell (SSH) brute force attacks compared to 2019.
Additionally, hacked Android mobile devices were also used to launch DDoS attacks. In February, researchers at Netlab, the cybersecurity arm of Chinese security firm Qihoo 360, reported on a new botnet called Matryosh that compromised Android devices via the ADB (Android Debug Bridge) interface exposed on the internet. In Netscout’s annual Cloud and Internet Service Provider Survey, nearly a quarter of respondents said they saw mobile devices being used to initiate DDoS devices.
Ransomware takes center stage in the cybercriminal ecosystem, causing $1 billion+ in global losses last year alone and generating hundreds of millions of dollars in profits for cybercriminals. At the same time, distributed denial of service (DDoS) attacks, traditionally used to blackmail businesses, are making a comeback. Ransomware groups even use DDoS attacks to increase the pressure on victims to pay the ransom.
According to recent annual reports from multiple content delivery networks and DDoS mitigation providers, 2020 was a record-breaking year for DDoS attacks, with record numbers of attacks, scale of attacks, and number of attack methods used. The resurgence of DDoS ransomware may be driven by the COVID-19 pandemic, which has forced companies to enable remote working for most of their employees, leaving companies more vulnerable to business disruptions and more willing targets for attackers to pay extortion fees .
2021 continues this trend. In February, Akamai recorded three of the six largest DDoS attacks in history, and the number of DDoS attacks over 50Gbps in the first three months of 2021 is already higher than in all of 2019. Akamai estimates that the vast majority of online services without DDoS mitigation measures will be dropped due to bandwidth saturation when they encounter attacks above 50Gbps.
DDoS ransomware returns
The motivations behind DDoS attacks vary: from unscrupulous business owners wanting to disrupt the services of competitors, to aggressive hackers wanting to make a case for groups they oppose, to mere acts of sabotage caused by competition between different groups . However, extortion has been the biggest and arguably the most lucrative factor driving this type of illicit activity, since DDoS attacks really don’t require much investment. DDoS rental services can even cost as little as $7 per attack, making it affordable for almost anyone.
In fact, data from application and network performance monitoring firm Netscout Systems shows that demonstrating their DDoS capabilities to potential customers is the number one motive for such attacks, followed by online gaming-related motives (which many have relied on during the pandemic) time) and then blackmail. Attackers also often use DDoS attacks as a camouflage, leaving corporate IT and security teams too busy to detect other malicious activity on their networks, such as infrastructure intrusions and data exfiltration.
A surge in Ransomware DDoS (RDDoS) incidents began in August 2020 as multiple ransomware gangs used DDoS as an additional ransom technique, but also partly because of a cybercriminal gang disguised as Russian Fancy Bear Or hacker national teams such as North Korea’s Lazarus Group launched an attack. The cybercriminal gang, named Lazarus Bear Armada (LBA), first launched a wave of demonstrative DDoS attacks ranging from 50Gbps to 300Gbps against selected targets. The gang then sent extortion emails claiming to have the capability of a 2Tbps DDoS attack in order to extort the targeted company to pay in Bitcoin. In the emails, the attackers boosted their credibility by claiming to be affiliated with several prominent cybercriminal groups that are commonly seen in the news. In many cases, the gang didn’t go on to launch more attacks even if the target company didn’t pay the ransom, but sometimes it did. And, after a while, they’ll come back and take another bite of the previous victim.
The gang mainly targets businesses in the financial, retail, travel and e-commerce industries around the world, and appears to also be doing scouting and planning. They identify non-generic email addresses that victim companies may monitor, and target critical but less obvious apps, services, and VPN hubs, indicating an advanced level of planning. Several security vendors and the FBI have issued alerts about the gang’s activities.
Unlike gangs such as the LBA, which rely solely on RDDoS to extort money from businesses, ransomware criminal organizations use DDoS as an extra leverage to convince victims to pay the original ransom, in the same way that they use data breaches as a threat. In other words, some ransomware attacks have now evolved into a triple threat that combines encryption, data theft, and DDoS attacks. Some of the ransomware gangs that use or claim to use DDoS attacks in this way include Avaddon, SunCrypt, Ragnar Locker, and REvil.
Similar to the case of ransomware attacks, it’s difficult to say exactly how many RDDoS victims paid the ransom, but the fact that the number, scale, and frequency of such attacks has been increasing makes the campaign profitable enough. This may be because DDoS rental services are ubiquitous and do not require a lot of technical knowledge, resulting in a much lower barrier to entry than ransomware itself. “In Q1 2021, 13% of surveyed Cloudflare customers who experienced a DDoS attack said they were extorted by an RDDoS attack, or received an early threat,” Cloudflare wrote in a recent report.
Akamai observed a 57% increase in the number of companies attacked compared to the same period last year; Netscout reported that the number of annual DDoS attacks exceeded the threshold of 10 million for the first time.
Last month, Akamai researchers said in a report: “Holding on to the hope of garnering huge bitcoin payments, cybercriminals have begun to ramp up their efforts and expand the bandwidth of their attacks, dispelling the notion that DDoS ransomware is a thing of the past.” The ransomware attack peaked at over 800Gbps and targeted a European gambling company, the largest and most sophisticated we’ve seen since the widespread return of ransomware attacks in mid-August 2020. Since that attack, show-of-force attacks have grown from 200+Gbps in August to 500+Gbps in mid-September, before ballooning to 800+Gbps in February 2021. “
The addition of new attack methods leads to increased attack complexity
Akamai revealed that nearly two-thirds of the DDoS attacks observed last year included multiple attack methods, with some as many as 14. Netscout also reported a significant rise in multi-method attacks, especially in late 2020, and attacks with more than 15 different methods. The company observed attacks that used a combination of 25 different methods.
DDoS reflection and amplification attacks that abuse multiple UDP-like protocols are still very popular. In this attack technique, the attacker sends packets with a fake source IP address to poorly protected servers on the Internet, forcing those servers to send replies to the intended victim rather than the attacker himself. This serves two purposes: one is reflection, because the victim sees traffic from legitimate servers, not the attacker’s bot, and the other is amplification, because attackers can abuse certain protocols to generate short queries Larger reply packets, amplifying the size or frequency of packets that an attacker can trigger. The size of a DDoS attack can be calculated in two ways: by the amount of traffic per second that can saturate the bandwidth, or by the number of packets per second that can saturate the processing power of the server.
The most common DDoS attack methods in 2020, in line with past years, are DNS amplification attacks. Other protocols commonly used in amplification attacks include Network Time Protocol (NTP), Connectionless Lightweight Directory Access Protocol (CLDAP), Simple Service Discovery Protocol (SSDP) and Web Service Discovery (WDS or WS-DD), UDP-based Remote Desktop Protocol (RDP) and Datagram Transport Layer Security (DTLS).
Attackers often look for new attack methods and protocols that can bypass existing defenses and mitigation strategies. In March, Akamai first observed a new attack method relying on the Datagram Congestion Control Protocol (DCCP). The Datagram Congestion Control Protocol is a network data transmission protocol similar to UDP, but with congestion and flow control functions that UDP lacks. Such attacks observed by Akamai so far are typical of traffic floods designed to bypass UDP and TCP-based mitigations. The protocol can also technically be used for reflection and amplification attack scenarios, but there are not many servers on the Internet using the protocol enough to abuse it to reflect traffic.
Netscout researchers concluded: “Abusable UDP open source and commercial applications and services are a valuable asset to attackers who mine such assets to discover new reflection/amplification DDoS attack methods, driving a new wave of attacks. “Such examples include the SSDP implementation of Plex Media Server, and the UDP network discovery protocol used by the Jenkins software development automation server.
Other DDoS attack methods that were common in the last year included TCP ACK, TCP SYN, TCP reset, TCP ACK/SYN amplification, and DNS floods, according to Netscout.
DDoS botnets trap IoT and mobile devices
Botnets of compromised devices and servers are the driving force behind DDoS attacks. Mirai malware variants that infect network devices are still prominently featured in mainstream DDoS botnets in 2020. These devices are often compromised by attackers with weak or default credentials, and Netscout’s observations show a 42% increase in Telnet and Secure Shell (SSH) brute force attacks compared to 2019.
Additionally, hacked Android mobile devices were also used to launch DDoS attacks. In February, researchers at Netlab, the cybersecurity arm of Chinese security firm Qihoo 360, reported on a new botnet called Matryosh that compromised Android devices via the ADB (Android Debug Bridge) interface exposed on the internet. In Netscout’s annual Cloud and Internet Service Provider Survey, nearly a quarter of respondents said they saw mobile devices being used to initiate DDoS devices.
The Links: MTC135-16 7MBP150RA060-01
