The Hidden Role of DDoS in Ransomware Attacks
Dave Larson offers advice for organisations wishing to protect themselves from the latest types of cyber-extortion
Dave Larson, COO, Corero Network Security
Ransom demands and DDoS attacks are now, more than ever, being used together in inventive new techniques to extract money from victims. This ranges from hackers threatening to launch a DDoS attack unless a ransom is paid, to the recent reports of a multi-layered cyber-attack combining ransomware and DDoS attacks in one. But what is often less understood is the way that sub-saturating DDoS attacks are regularly being used as a precursor to ransomware incursion. Because these attacks are so short – typically less than five minutes in duration – these low-bandwidth DDoS attacks allow hackers to test for vulnerabilities within a network, which can later be exploited through ransomware. Here we outline some of the typical methods of cyber-extortion involving DDoS attacks, and explain why automatic DDoS mitigation is such a key defence in the ongoing battle against ransomware.
Extortion is one of the oldest tricks in the criminal's book, and one of the easiest ways for today's cyber-criminals to turn a profit. As a result, there are a significant number of techniques that hackers will utilise to try and extract money from victims. One of the most common is DDoS ransom attacks, where attackers threaten to launch a DDoS attack against a victim unless a ransom is paid. These attacks can affect any internet-facing organisation and are often indiscriminate in nature. In May, the City of London Police warned of a new wave of ransom-driven DDoS attacks orchestrated by Lizard Squad, in which UK businesses were told that they would be targeted by a DDoS attack if they refused to pay five bitcoins, equivalent to just over £1,500. According to the results of a recent survey, 80 percent of IT security professionals believe that their organisation will be threatened with a DDoS attack in the next 12 months – and almost half (43 percent) believe their organisation might pay such a demand.
But despite the prevalence of DDoS ransom attacks, and its longevity as a technique, nothing elicits the same degree of alarm among security teams as the current threat of ransomware. This type of malware is estimated to have cost US businesses as much as US$ 18 million (£13.7 million) in a single year, and has already claimed a string of high-profile victims including hospitals and public bodies. Earlier this month, European police agency Europol launched a new ransomware advice service aimed at slowing down its exponential rise. But when it comes to protecting your organisation's data from being encrypted and lost, most advice focuses on recovery, rather than prevention. This includes having a good backup policy, which ideally involves serialising data so that multiple versions of the files are available, in case newer versions have been encrypted. But what about taking a more proactive stance?
We know that ransomware is usually delivered via email, inviting respondents to click on a link to download malware. Typically the themes of these emails include shipping notices from delivery companies or an invitation to open other documents that the recipient supposedly needs to review. It's true that many of these emails are sent opportunistically and on a blanket basis to a wide number of potential victims. But we are also seeing an increase in more targeted attacks, designed to gain access to a specific organisation's networks. After all, attacking a larger, more high-profile organisation would normally command a higher potential ransom reward, so hackers are investing an increasing amount of time researching specific victims and locating their vulnerabilities – usually through a variety of automated scanning or penetration techniques, many of which are increasingly incorporating the use of sub-saturating, low-bandwidth DDoS vectors.
Most people associate the term ‘DDoS' with system downtime, because the acronym stands for “Distributed Denial of Service”. But DDoS threats are constantly evolving, and many hackers now use them as a sophisticated means of targeting, profiling, and infiltrating networks. Short, sub-saturating DDoS attacks are typically less than five minutes in duration, meaning that they can easily slip under the radar without being detected by some DDoS mitigation systems. Five minutes may seem like an insignificant amount of time – but an appropriately crafted attack may only need a few seconds to take critical security infrastructure, like firewalls and intrusion prevention systems (IPS) offline. While IT teams are distracted by investigating what might be causing these momentary outages on the network, hackers can map the floor plan of their target's environment, and determine any weak points and vulnerabilities that can later be exploited through other methods, such as ransomware.
It is only by deploying an in-line DDoS mitigation system that is always-on, and can detect and mitigate all DDoS attacks as they occur, that security teams can protect themselves from hackers fully understanding all possible vulnerabilities in their networks. While these short DDoS attacks might sound harmless – in that they don't cause extended periods of downtime – IT teams who choose to ignore them are effectively leaving their doors wide open for ransomware attacks or other more serious intrusions. To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it's essential that organisations maintain a comprehensive visibility across their networks to spot and resolve any potential incursions as they arise.
Contributed by Dave Larson, COO, Corero Network Security