Digital Shadows says DDoS extortion on the rise thanks to Mirai botnet
Digital Shadows says DDoS extortion on the rise thanks to Mirai botnet

Security company Digital Shadows has claimed in its new report that despite the release of the source code of the Mrai botnet, it still isn't as easy to deploy a botnet as it might appear, however it is a godsend for DDoS-extortionists.

They explained: “Since the release of the Mirai source code, the tactic of DDoS has gained notoriety and has been portrayed as a ‘digital nuclear attack' and ‘zombie apocalypse' by elements of the press. Of course, the reality lies short of that with the potential impact of DDoS dependent on the type of threat actor you face, your geography, industry and how well you are placed to deal with the threat.”

In the paper, the firm used the “cone of plausibility” technique to look across current trends, identify drivers that look to impact these trends throughout 2017, and go on to outline three different scenarios: a probable, a plausible and a wild card option.

The firm claims that aside from opportunistic attacks launched for the fun of it – or the “lulz” – there are three main motivations for threat actors looking to use DDoS as a tactic: protests by hacktivists, extortion by cyber-criminals and geopolitical by nation-state affiliated actors.

Speaking with SC Media UK, Michael Marriott, security researcher for Digital Shadows explained that where “nation state affiliated actors might have their own pre-developed botnet”, and hacktivists “might not have the know how” (as Mirai does require servers and some technical knowledge), the release of the source code to Mirai is as though Christmas has come early for cyber-extortionists, as it offers a brand new attack vector, and one which they predict will be targeting the customers rather than companies themselves.

Marriott said: “We all know about DDoS extortion – the process is straightforward. Contact the company, threaten to launch a crippling DDoS attack that will happen unless the company pays a ransom. But what if the actors do not target the company itself to pay the ransom, but its customers?”

DDoS extortion was hot stuff in the first half of 2016. While Europol announced the arrest of members of DD4BC and Brian Krebs blogged about DDoS gang vDOS, other actors going by names like Kadyrovtsy and Armada Collective emerged.  Although there were fewer reports of DDoS extortion in the second half of 2016, the public release of the Mirai botnet source code offers new opportunities for extortionists.

Marriott added: “We've already seen examples of [DDoS extortion], in the case of a DDoS against Squarespace. On November 22, 2016, the US-based web hosting and website building service Squarespace was affected by two distributed denial of service attacks that affected customers between 0029 EST and 0954 EST. Some customers of Squarespace operate e-commerce sites, therefore it was assessed as likely that financial losses were incurred as a result of the attacks.”

Twitter accounts responded to statements by Squarespace, claiming to be a previously known threat actor called "vimproducts", who has advertised DDoS services on the AlphaBay Dark Web marketplace.

These accounts were detected claiming responsibility for the DDoS attacks and attempting to extort Squarespace for up to $US2,000. In one post on Pastebin, the author described it as a “crowdfunded extortion”. While there was no evidence of a ransom being paid, it is possible that it was an attempt by vimproducts to generate publicity for their DDoS-as-a-service offering.

“The targeting of organisations' customers is a worrying trend,” the report said.

The report notes that more recently, on 29 November, customers of Valartis Bank received ransom messages from an unidentified actor claiming to possess their account data and demanding 10 percent of their balance in order to prevent their data from being leaked.

Valartis Bank's parent company reportedly confirmed a breach took place but stated only payment order information was obtained. Statements made by the author of the messages published in the Bild newspaper suggested a realistic possibility the attackers had attempted to approach the bank itself prior to contacting customers.

The threat of DDoS and extortion attacks on retailers and e-commerce sites are particularly heightened during the runup to Christmas. Actors will likely deem the busy sales period as an opportune moment to showcase their capability or to cause widespread disruption by targeting retailers.

“While the case of vimproducts and Squarespace may have occurred as a secondary approach to gaining a ransom payment, what if this was the first target for adversaries?” Marriott said.

“How prepared would companies be to combat this threat? Organisations should consider such alternative scenarios in 2017, as the public release of Mirai can act as a force multiplier for criminal operations, ensuring a response playbook if they are hit by a Mirai DDoS attack, prioritise the right services, and ensure they aren't part of the problem by securing their own IoT devices.”