Ransom DDoS, a digital threat that combines denial of service and extortion, is emerging as an increasingly significant and growing challenge in the cyber world. This complex phenomenon, which uses the interruption of online services as a bargaining chip, brings with it nuances that deserve in-depth analysis.
In this article, we will explore the complexities of RDDoS, tracing its evolution from the earliest records to the modern tactics carried out by contemporary cybercriminals.
RDDoS: you never know when this attack will happen
DDoS ransomware has become one of the most damaging cybercrimes. Although not new, this type of crime has wreaked havoc all over the world, affecting everything from small businesses to global corporations. Cybercriminals contaminate computers and ask for money to reverse the situation.
On February 21 of this year, one of these attacks hit Change Healthcare in the United States, a company responsible for processing health insurance documentation (prescriptions, certificates, charges, payments, transfer of funds and much more). As the company processes data for around half of the health plans, the losses in the sector have already appeared. Many clinics and laboratories have warned the market that they are running out of cash, and in some cases will have to resort to bank loans to close their accounts.
The attack could have started in any number of ways. There may have been a phishing contamination (in this case, malware received in an email, for example) or an intrusion into the network through a vulnerability in one of the devices connected to it. But there is an extortion attack, in which the cybercriminal also demands a ransom, and in which none of this is necessary. It doesn’t need any malware for its actions, and can attack remotely with Ransom DDoS, a ransomware denial-of-service attack that it sends by email. Companies that are not protected by a good malicious traffic mitigation service can consider themselves at risk.
DDoS is already offered as a service
RDDoS developed with the emergence of attack platform rentals. As a result, this rental has come to be known as DDoS-as-a-Service, multiplying the interest of criminals in obtaining almost immediate gains, as well as presenting a very low cost and risk.
Storm, in 2007, was one of the first botnets to offer attacks as a service: the network had between 250,000 and 1 million devices and could be rented by anyone. Some of its servers were shut down in 2008 and it gradually became inactive. Since then, the RDDoS model has allowed gangs with basic technical skills (or none at all) to launch heavy attacks on their victims.
It can be said that it is practically impossible to determine when and where such an attack will occur. Police authorities around the world are monitoring the dark web for clues on this subject. However, it is rare for the news to report the arrest of a person on charges of having carried out or planned a DDoS attack, whether with or without a ransom demand.
Most frequently, the platforms selling the service are discovered and taken down. These platforms control one or more botnets and activate them against one or more Internet addresses when someone hires their services.
A difficult problem for the authorities
No matter how hard authorities in all countries work to combat cybercriminals and their resources, such as servers, platforms and domains, they are constantly organizing new botnets and installing new platforms to sell attack services. One of the main reasons for this is that there are many people looking for these services, both on the dark web and on the surface of the Internet.
One of the main attractions of these new cybercriminals is that they don’t have to spend much to gain access to the firepower of these cyberweapons. In addition, last year a survey by cybersecurity company Searchlight Cyber revealed an increase in the availability and number of people interested in these platforms, called “stressers” and “boosters”.
One of them, “Nightmare Stresser”, which has been operating since 2020, already had more than 566,000 registered users and 52 servers, and could carry out attacks using 28 different methods, divided into three broad categories: Layer 4 (Transport) UDP, Layer 4 (Transport) TCP and Layer 7 (Application) TCP. Another platform studied in the survey, called Paper Stresser, used 12,000 bots to conduct the attacks and could fire up to 700 GB/s.
The DDoS Ransom service was offered by the company at four different monthly subscription prices, ranging from $30 to $125. It also promised attack intervals of up to 500 seconds with 18 different methods. However, there are platforms that offer monthly services with subscription prices ranging from $30 a month to $18,000 a quarter. The most expensive option, on the other hand, offers unlimited attacks per day, with an attack duration of up to two hours and the ability to carry out a hundred simultaneous attacks.
Three days of RDDoS attacks
One of the most serious RDDoS attacks began on October 21, 2022 and only ended two days later. The victims were eight companies that offer secure e-mail and other privacy and security services. Among them: Runbox, Posteo, Fastmail, TheXYZ, Guerilla Mail, Mailfence, Kolab Now and RiseUp. They all received an email asking for a ransom of 0.06 BTC (around US$4,000 at the time).
The companies were given three days to pay; however, the attackers threatened to take their networks offline if they didn’t receive payment. At the same time, the same situation is occurring with small and medium-sized Internet access providers in Brazil. Attackers carry out DDoS against them and send emails demanding payment to end the attack.
Although the problem is not new, there are no signs of it disappearing. It can arise at any time, with varying intensity and duration, but always with the same requirement: money. Although many victims have already paid up, they know that this is not the solution and that other attacks will still happen. The solution lies in investing in technology, hiring partners who know the subject well, such as Huge Networks, and who have the resources to filter traffic and protect customers from attacks like these.
