Are ransom DDoS attacks coming back?

Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at National University of Public Service

Created: 2021-12-06

The emerging threat of ransom DDoS attacks is knocking on the doors, or rather the TCP ports, giving us another example of how cybercriminals are adapting to their victims’ IT infrastructure and cyber defense.

Ransomware is a well-known term and one of the major cyber-enemies of organizations worldwide. But have you ever heard of ransom DDoS? This emerging threat is knocking on the doors, or rather the TCP ports, giving us another example of how cybercriminals are adapting to their victims’ IT infrastructure and cyber defense. In fact, ransom DDoS is not a kind of new attack – we have seen many such incidents in previous decades. It usually starts with a stream of non-legitimate HTTP requests from various sources, then follows with an email that requests a considerable sum of money to stop this activity. Back in the old days, such an attack was devastating, as the digital service would come to a halt and there was no real protection on hand. Later, cloud-based load balancers such as Cloudflare provided a good solution for even the smallest companies.

But DDoS is back. As the Internet Organised Crime Threat Assessment (IOCTA) 2021 report from Europol states, “Law enforcement and private partners are reporting a re-emergence of DDoS attacks accompanied by ransom demands, as well an increase in high-volume attacks compared to the previous year.” That is also confirmed by Cloudflare in its DDoS Attack Trends for Q3 2021 report, stating that “Cloudflare observed and mitigated record-setting HTTP DDoS attacks, terabit-strong network-layer attacks, one of the largest botnets ever deployed (Meris), and more recently, ransom DDoS attacks on voice over IP (VoIP) service providers and their network infrastructure around the world.” According to Kaspersky’s statistics, “Q3 was unusually explosive for the number of DDoS attacks.” Something has changed and DDoS is at center stage once again.

This ’something’ is the modus operandi. First, the attackers seem to have a new botnet type. While the good old Mirai botnet is still infecting IoT devices and now exploiting a vulnerability in Realtek chips, a new family, Meris, is targeting a vulnerability in MikroTik routers. The botnet of routers is much more powerful than a network of IoTs with quite weak hardware. Second, the attack methodology has also changed. As it was reported by both Cloudflare and Kaspersky, the average DDoS lasts only one or two hours. During this short period, the operation can be disrupted, but effective countermeasures can’t be implemented. As many companies received an email that demanded two bitcoins as a ransom before the attack, it is possible that the attackers were trying to prove that their intentions are serious. Third, the victims are not solely traditional targets. Online gaming platforms, media providers, political groups are among those targeted. Fourth, the attackers are well-prepared. We can clearly see that the TTP of state-sponsored groups is appearing at the criminal groups as well. This is obvious in the case of ransomware. But the same trend is also visible in DDoS ransoms. A crime gang behind some DDoS even calls itself “Fancy Lazarus”, reflecting the Russian-based Fancy Bear and the North Korean Lazarus groups.

As a fifth new trend, we should mention amplification. If a DDoS is targeting a specific device in the IT infrastructure, the result is a far more effective attack. This specific device nowadays is the ’security box’. More precisely, it attacks “targets security devices located between the client and the server (so-called middleboxes) — firewalls, load balancers, network address translators (NAT), deep packet inspection (DPI) tools and others,” as revealed by Kaspersky in its Q3 report. This middleware is sometimes an unexpected device. As Cloudflare says: “HTTP attacks against API gateways and the corporate websites of the providers have been combined with network-layer and transport-layer attacks against VoIP infrastructures.”

Why is an API gateway an interesting target? A lack of resources and rate limiting is the fourth major problem in OWASP’s API Security Top 10: “Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force”. If the API gateway is not able to manage this aspect, it leaves a huge attack surface towards even a small-scale DDoS. We at Balasys believe that an API security solution should support proper resource management and we do everything to protect API interfaces from DDoS.