Akamai warns of increased activity from DDoS extortion group

Since 2014, DD4BC has been threatening to take down corporate networks with distributed denial-of-service attacks if a Bitcoin ransom is not paid.
Since 2014, DD4BC has been threatening to take down corporate networks with distributed denial-of-service attacks if a Bitcoin ransom is not paid.

Akamai's Prolexic Security Engineering & Research Team (PLXsert) is warning of increased activity by a group – known as DD4BC – that since 2014 has typically threatened to take down corporate networks with distributed denial-of-service (DDoS) attacks if a Bitcoin ransom is not paid.

In its recent report, Akamai said it confirmed 141 attacks executed against 124 unique businesses between September 2014 and July. DD4BC started off small, only executing an average of nearly four DDoS extortion attacks per month from September 2014 to March. Activity started climbing in April with 16 attacks, peaked in June with 41 attacks, and tapered off a bit in July with 31 total attacks.

The organisations being targeted are in a variety of industries, including 58 percent in financial services, 12 percent in media and entertainment, nine percent in online gaming, six percent in retail and consumer goods, five percent in software and technology, and another five percent in internet and telecommunications.

Lisa Beegle, manager of Akamai's PLXsert, told SCMagazine.com in a Thursday email correspondence that DD4BC was first observed targeting seemingly arbitrary companies of varying sizes in North America and Asia.

“DD4BC eventually moved on to European companies, and then focused on companies in Korea, China, Australia, and New Zealand for a period of time,” Beegle said. “Most recently, the US and Canada have been the primary focus; however we have observed attacks continue to affect various organisations globally.”

The report includes sample ransom emails that DD4BC sent to targets, as well as follow-up messages when the attackers received no response. Based on the emails, the attackers generally asked for between 25 and 50 Bitcoins at first, and then said they would bump it to as much as 100 Bitcoins if the ransom was not paid within usually 24 hours. As of Thursday, a single Bitcoin equaled about 240 US$ (£156).

When the ransom was not paid, DD4BC made good on its threats.

Of the 75 incidents mitigated by Akamai, the average peak bandwidth for all attacks came out to 13.34 Gbps, the average peak packets per second for all attacks came out to 3.13 Mpps, and the largest DDoS attack recorded peaked at 56.2 Gbps, the report showed.

Beegle said Akamai cannot confirm who the group is or where they are located, and went on to indicate that targets should not pay the ransom.

“If a targeted organisation pays the ransom, there is no reason to believe that the attackers will not return again, and often for a higher amount,” Beegle said. “Additionally, this could encourage other groups who may use the same name or in some way be associated with this group to threaten your organisation and also send attack traffic. These types of attacks only work when the victims make it profitable for them. Not paying the ransom will often lessen the pervasiveness of these attacks.”

One of the group's latest tactics involves threatening to expose organisations via social media, the report mentioned.

Additionally, “The group's new methodology includes ready use of multi-vector DDoS attack campaigns and revisiting former targets,” the report said. “DD4BC is also incorporating Layer 7 DDoS attacks in its multi-vector attacks, specifically concentrating on the WordPress pingback vulnerability to send reflected GET requests to the target.”

Akamai's mitigation recommendations include deploying anomaly and signature based DDoS detection methods so attacks are detected before sites are unavailable to users, distributing resources to increase resiliency and avoid single points of failure, and implementing Layer 7 DDoS mitigation appliances on the network in strategic locations to reduce the threat for critical application servers.