DDoS Attackers Revive Old Campaigns to Extort RansomHackers Circle Back to Again Attack Victims Who Refused to Pay an Earlier Ransom Demand
Threat actors behind a distributed denial-of-service campaign targeted the same set of victims again after the organizations failed to pay the initial ransom, a new report by security firm Radware finds.
See Also: Expel Quarterly Threat Report
The report notes the victims were first hit by the unidentified group in August or September 2020. Then, when the victims failed to pay the initial ransom demand, they were sent additional ransom extortion emails in December 2020 and January, with the threat actors demanding between five and 10 bitcoins ($160,000 and $320,000).
Soon after the victims received the second set of threatening messages, the organizations were hit with a DDoS attack that exceeded 200Gbps and lasted more than nine hours without interruption, the report notes.
"Maybe you forgot us, but we didn't forget you. We were busy working on more profitable projects, but now we are back," the second ransom note read, according to Radware.
Radware researchers believe the two rounds of attacks were conducted by the same threat actor due to the similarities in the attack infrastructure and the messages received from the attackers. Also, the companies that received the new letters were not revealed to the media last year, so only the original threat actors would know the organizations had been previously targeted.
Radware's researchers say the tactics recently observed with the attacks launched by this particular group indicate a fundamental change in how it operates. Previously, the operators would target a company or industry for a few weeks and then move on.
"The 2020-2021 global ransom DDoS campaign represents a strategic shift from these tactics. DDoS extortion has now become an integral part of the threat landscape for organizations across nearly every industry since the middle of 2020," the report states.
The other major change spotted is this threat group is no longer shy about returning to targets that initially ignored their attack or threat, with Radware saying companies that were targeted last year could expect another letter and attack in the coming months.
"We asked for 10 bitcoin to be paid at (bitcoin address) to avoid getting your whole network DDoSed. It's a long time overdue and we did not receive payment. Why? What is wrong? Do you think you can mitigate our attacks? Do you think that it was a prank or that we will just give up? In any case, you are wrong," the second letter says, according to Radware.
"The perseverance, size and duration of the attack makes us believe that this group has either been successful in receiving payments or they have extensive financial resources to continue their attacks," the report states.
Another reason Radware believes the hackers revived their past campaign is the surge in Bitcoin value. While the bitcoin price stood at $10,000 in August 2020, by the end of the year it had jumped to approximately $30,000.
Even if a second round of letters and DDoS attacks are received, Radware recommends against paying the attacker's ransom, as there is no guarantee a payment will result in the attacker abandoning their efforts.
"Knowing an organization has succumbed to the threat will lead them to circle back in the future," the report adds.
Other recommendations include:
- Hybrid DDoS protection to include on-premises and cloud DDoS protection for real-time DDoS attack prevention that also addresses high-volume attacks and protects from pipe saturation;
- Behavioral-based detection to quickly and accurately identify and block anomalies while allowing legitimate traffic through;
- Real-time signature creation to promptly protect from unknown threats and zero-day attacks;
- A cybersecurity emergency response plan in place.
DDoS Attack Trends
This month, security firm Check Point Research uncovered a new botnet dubbed FreakOut that launched DDoS attacks to target vulnerable Linux systems (see: 'FreakOut' Botnet Targets Unpatched Linux Systems).
In December, security firm Citrix warned that threat actors were taking advantage of the company's ADC products to conduct and amplify distributed denial-of-service attacks, according to a notification published by the firm (see: Citrix Warns Its ADC Products Are Being Used in DDoS Attacks).
Earlier, the FBI issued a warning that the bureau had seen a steady increase in not only the number of DDoS attacks affecting U.S. organizations, but also in the techniques used to amplify these attacks (see: FBI Alert Warns of Increase in Disruptive DDoS Attacks).