One of the hardest attacks to defend against is a distributed denial of service attack. In October of 2016, the Mirai botnet launched DDoS attacks against multiple well-defended web services such as Amazon, Netflix, and Reddit. Even though these websites have protections against denial of service attacks, they are still susceptible to these types of attacks. This can be alarming for small to medium sized businesses with less information security resources. Since DDoS attacks are difficult to defend against, cyber criminals are exploiting this fear by threatening a future attack unless the business pays some sort of ransom. A typical ransom note looks something like this:
From: Armada Collective
Subject: DDOS ATTACK!!
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Armada Collective.
Your network will be DDoS-ed starting [date] if you don’t pay protection fee – 10 Bitcoins @ [Bitcoin Address].
If you don’t pay by [date], attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.
This is not a joke.
Our attacks are extremely powerful – sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just 10 BTC @ [Bitcoin Address]
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.
Dissecting the Threat
The recent ransom notes are claiming to be from the Armada Collective or Lizard Squad, but both have the same theme of threatening a DDoS attack at a future date and demanding a sum of bitcoin to prevent the attack. While there are cyber criminals who do demand a payment to stop an attack, an email coming in beforehand is not something you should take seriously. In fact, a DDoS protection company CloudFare researched these ransom notes and compared them to actual DDoS attacks seen on the Internet. This research showed that there were absolutely zero attacks which followed through with an attack, regardless of the organization paying a ransom or not.
Most, if not all, of these extortion emails are coming from individuals or small groups of criminals who are looking to make a quick buck. It’s doubtful that anyone behind the emails has the capability to carry out a DDoS attack to bring down your publicly facing systems. The amount of money being requested via ransom is best spent on defensive measures to prevent DDoS type attacks. A combination of appropriate protections from your Internet Service Provider as well as third party protection services can prevent all but the most sophisticated DDoS attacks.
No Need to Worry
The typical DDoS attack is not a tool cyber criminals use to monetize against. While some fraudsters are hoping to leverage the fear of an attack to extort money as outlined here, most DDoS attacks are a distraction mechanism. Bringing a company offline does not open up the opportunity to gain access into an enterprise’s internal network. What it does instead is focus the attention of the internal IT team to getting those services restored while the attackers are performing their actual exploitation. A great example of this was the cyber-attack against Ukraine’s power grid. While the attackers were busy bringing the power offline, they were also flooding the call center with bogus phone calls in an effort to prevent actual customers from reporting power outages.
The good news is that most DDoS attacks are short lived and rarely persist. While this can be considered anywhere from an inconvenience to completely catastrophic, it’s something that can be mitigated beforehand and/or remediated quickly after. If you are concerned your business may be a target for a DDoS attack, work with your ISP to understand the immediate strategies available to reduce your overall risk.
