Rising ransom-related DDoS threats: how to best prepare

RDDoS attacks often come out of the blue, but there are a few key ways you can best prepare for them

Recently, Neustar's Security Operations Centre (SOC) highlighted a disturbing trend: the significant rise in ransom-related DDoS (RDDoS) attacks targeted at a number of online industries.

While these types of attacks are not new, they have increased so dramatically over the last year that the FBI issued a warning to US companies. This was prompted by a large, ongoing campaign that involved malicious actors posing as prominent hacking groups such as Fancy Bear in ransom notes, threatening DDoS attacks unless the victim paid a bitcoin ransom within a short timeframe.

If you work in network security, you never want to receive a message containing a threat like this, urging you to pay a ransom or else be forced to defend against a DDoS attack. Unfortunately, RDDoS attacks often come out of the blue, catching teams off guard. Yet, there are a few key ways you can best prepare for them to ensure that you have done everything possible to weather the storm if your business is hit.

What you need to know

RDDoS attacks are global in their scope, frequently spanning many different industries. While the first attacks of this kind date back to 2003 - primarily targeted at the online gaming sector - last year's initial wave was launched against the financial services sector. Since then, organisations within a variety of different industries, including government, retail, technology and travel, have fallen victim to similar attacks.

Computing's Cybersecurity Festival is comong up in July - Register today!

The cyber-criminals behind recent RDDoS notes claim to be from infamous cybercrime groups, such as Fancy Bear, Cozy Bear, the Lazarus Group and the Armada Collective. However, with a number of industry insiders claiming that the real Fancy Bear is not involved in these attacks, it is still unclear who the hackers actually are. One thing we do know is that those involved seek to capitalise on the fear of high-profile nation-state attacks.

Despite many of the notes threatening attacks of up to 2 Tb per second, observed attacks have been considerably smaller, ranging from 20 to 300 Gb per second and using a number of verticals. In many cases, attacks do not materialise, pointing at the possibility that copycat threats come from multiple actors with varying capabilities.

It has been speculated that one reason for the adoption of DDoS as a ransom vector, as opposed to using malware, is the ease with which such attacks can be carried out. Inserting malware or ransomware into organisations takes time and careful planning. Launching a DDoS attack, in comparison, has become relatively simple and has the added benefit of being harder to trace back to its origin.

What should you do if you are attacked?

If you find yourself on the receiving end of an RDDoS threat, firstly it is important that you remain calm and do not pay it. Paying identifies your organisation as a target worth pursuing and has the potential to invite future attacks, even if the attackers promised to leave you alone in the aftermath.

Secondly, the attack should be reported immediately to the relevant authorities. Any information you can provide may help identify the hackers and ultimately hold them accountable, preventing others facing the same threat.

Lastly, if you work with a third party DDoS protection vendor, you should share all details of the threat. A lot of the time, extortionists do not follow through with an attack, but the situation will need to be closely monitored should one materialise.

The recipe for a robust DDoS strategy

While the actions you take in the event of an RDDoS threat are vital, ensuring that you have in an effective DDoS strategy in place beforehand is equally important for mitigating against attacks.

A fundamental first step involves assessing your current risk. Key to this is identifying all your online assets and where they reside - from the data centre to the cloud - and considering whether you need to protect everything to allow your business to function. During this stage, you should also look at assets that share infrastructure with one another, particularly high value assets.

Next, you should evaluate the solutions needed to defend these assets against a DDoS attack. The assets you need to protect, your tolerance for downtime and the IT resources available, dictate this decision. If your assets are not extensive, DDoS protection via your ISP or cloud service provider could be an option. For larger and more complex networks, though, a DDoS mitigation service or a fully managed cloud DDoS platform is a better choice.

Lastly, you need to implement mitigation strategies and requirements that best match your network configuration and operational needs. Taking an always-on approach, for example, means traffic is routed through your DDoS mitigation provider's platform, whereas border gateway protocol (BGP) or DNS swings divert bad traffic.

An evolving threat

Like all cybercrime, RDDoS threats will continue to evolve. As an industry, it is crucial that we continue to pay close attention to both the information in the ransom messages and the techniques used to carry out the attacks.

In the meantime, organisations should ensure their DDoS protection plans are up-to-date and stay vigilant. While these threats are no laughing matter, they do not have to result in damaging consequences.

Michael Kaczmarek is vice president of security product management at Neustar