Skip to main content

The rise of Ransom DDoS: How organizations can prepare

(Image credit: Image Credit: Profit_Image / Shutterstock)

Cyber-criminals are broadening their horizons and raising ambitions. Ransomware attacks are dominating cyber-crime headlines and are presenting an increasing, and very real, threat to all businesses. The threat of ransomware has become so detrimental, with recent research from the Neustar International Security Council (NISC) found a startling 44 percent of organizations have been the target or victim of a ransom-related distributed denial of service (RDDoS) attack in the last 12 months. This readily available extortion method now outstrips typical ransomware attack rates and puts businesses across a wide variety of industries at risk of disruption and economic loss. 

In light of the rise and increasing sophistication of RDDoS attacks, we talked with Michael Kaczmarek, VP Product Management, Neustar, to explore the implications of RDDoS’ rise and how organizations can best prepare.

Q: Following the recent rise in RDDoS attacks, what are the characteristics of these types of cyberattacks and what does this mean for the nature of ransomware attacks in the future? 

The aim of an RDDoS is to financially extort an organization through threats of, or fully taking its website offline by, a DDoS attack. Where typical ransomware attacks infect and encrypt systems, an RDDoS attack doesn’t require the cybercriminal to gain access to a business’s internal systems before it can be executed.

In fact, targets are often simply sent a demand letter that follows a rudimentary template. In the letter, users are threatened with a DDoS attack unless the demands for payment – usually in the form of Bitcoin – are met. The wide availability of DDoS bots and for-hire services means that nearly anyone can easily become a cybercriminal.

There is technically no difference between a distributed denial of service (DDoS) attack and an RDDoS attack, it simply adds extortion to the mix. Carrying out a DDoS attack has become relatively straightforward and has the additional benefit of being more difficult to trace. Cybercriminals are therefore turning to RDDoS attacks over ransomware as an evolutionary point from DDoS but also a migration from ransomware-based attacks. This also raises questions of DDoS-as-a-service and the commoditization of cybercrime in general.

Q: How successful is RDDoS in infiltrating organizations with ransomware? What can organizations do to protect and defend themselves against these attacks?

While RDDoS in itself doesn’t include any ransom software, i.e ransomware, threat actors often use a combination of tactics. There are reports of what are being termed as, “triple extortion attacks” - bringing systems down with DDoS, installing encryption ransomware, while also stealing data and threatening data leaks. DDoS attacks can make websites more vulnerable to infection and so this combination can be particularly ruthless.

Speaking in terms of general success rates of extortion, around 60 percent of businesses would consider paying in the event of an attack, with 1 in 5 potentially prepared to spend more than 20 percent or more of their annual revenue. Compare that to any normal business sales/success rate and you can see why criminals find these tactics so lucrative. Relying on the notion that those who will pay the most to retrieve their data are also often those who need it the most, ransomware is a paralysis that no company can afford.

The main lesson is, understand what you need and get protected. There is a range of protection software and services available, but what you buy should map to your needs. Understanding and knowing where your assets are, your risk factors, the scale of network protection, downtime tolerance – all of these decisions should form part of your cyber resilience strategy and inform the level of web protection your organization requires.

Q: One major debate around ransomware is whether it is right for companies to pay the ransom. What do you think is the appropriate way to respond to ransomware attacks? 

While it is completely understandable why organizations decide to pay, it’s not the answer. There is evidence that large numbers of RDDoS and ransomware victims are being targeted multiple times and with ransomware attacks growing in such significance that the question is no longer if an organization will be targeted, but when – organizations need contingency plans in place.

Paying the ransom simply makes a company more likely to be targeted again – immediately listing an organization as a high-success rate target. Instead, organizations should think of cybercrime as a business – by paying up, a company is making itself a viable target, with ‘success rate’ chances historically higher than those that haven’t paid. 

Organizations can additionally stop ransomware attempts from impacting their business by implementing a multi-layered security approach to thwart future threats. This includes having a thorough, planned approach to software patch updates and fixes, carrying out frequent vulnerability and penetration testing, and ensuring regular updates to data backup systems are made. Once these basics are in place, organizations should also implement reliable distributed denial of service (DDoS) network protection, along with phishing prevention.

Finally, organizations should always look to utilize recursive domain name security (DNS) services. Because many ransomware attacks rely on communicating with the external control servers to initiate encryption, recursive DNS servers can prevent ransomware attacks by simply blocking the request to activate them.

Q: What advice do you have for organizations who find themselves on the receiving end of an extortion letter from RDDoS attackers?

It is essential that companies do not pay the ransom. Letters usually come with a timeline so companies should work with their DDoS security provider to best prepare for any attacks. In addition, organizations should make sure they’ve got an open line of communication set up with their DDoS security provider, especially on day zero. If companies can, they should provide systems access or monitoring too to the provider. By making sure an organization’s Disaster Recovery platforms are up to date and ready to go, this can prevent RDDoS from impacting continuity of business operations.

Q: Is there more that governments and the wider industry can do to help organizations when they do fall victim to ransomware?

The important thing here is that there is an education piece.  organizations are prepared to pay out potentially millions in ransom but don’t effectively invest relatively minimal sums in defense software and services. As an industry, we need to make it much easier and more accessible for CISOs and security managers to put forward the argument for robust cyber resilience investment by businesses in the context of expense and increasing ransom attack likelihood. 

Michael Kaczmarek, VP Product Management, Neustar

Michael Kaczmarek, VP Product Management, Neustar.