Distributed denial of service (DDoS) attacks have gone through evolutionary changes over the years. Back in the day, they would mostly revolve around the shenanigans of hacktivists motivated by political or other types of protest. These noble hues of DDoS nearly vanished as cybercriminals realized they could leverage such attacks to get rich quickly.
The tactic is to threaten an organization to bring its website offline by firing an abnormally large volume of traffic at it. To prevent these threats from coming true, the victim is instructed to cough up a ransom in bitcoins or another form of cryptocurrency. This shift in the felons’ modus operandi has coined a new term, Ransom DDoS (RDoS). Whereas the intimidation is often all bark and no bite in these scenarios, a series of notorious incidents have demonstrated how viable this cybercrime model can get.
DDoS-as-a-Service democratizes extortion
It is getting easier for wannabe criminals to jump on the DDoS bandwagon. The entry bar went low with the emergence of what’s called DDoS-as-a-Service, or DDoS-for-Hire. These are platforms on the dark web that provide fully-fledged services for generating junk traffic that can be thrown at a specified target. Many of these leverage botnets consisting of thousands of vulnerable IoT devices, such as IP cameras and Internet routers, subdued in mass attacks. The rates for renting these turnkey tools are ridiculously low, which is a lure for malefactors.
A recent example is a DDoS platform with an exotic name, "Passion," linked to a pro-Russian cybercriminal group. It was reportedly used in raids against healthcare organizations in the U.S. and eight European countries in late January 2023. According to researchers, this was hacktivists’ payback for sending tanks to Ukraine in support of the country’s fight against Russian invaders.
The "Passion" platform allows its unscrupulous customers multiple options in terms of DDoS incursion vectors (10 methods are available), duration, and amplitude to choose from. The cost of a weekly subscription is as low as $30, the monthly plan is worth $120, and the price for one year is around $1,440. With these affordable rates, disrupting an enterprise network or defacing a big-name website on a budget is absolutely feasible.
Game-changing ransom DDoS incidents
The first major reported DDoS-for-ransom (RDoS) case had to do with ProtonMail, a popular Switzerland-based provider of encrypted email services. The incursion was pulled off by a hacking group calling themselves Armada Collective in November 2015. The threat actors sent the company a blackmail message stating that they would flood the service with traffic it couldn’t handle unless a ransom was paid. To prove it wasn’t a joke, they conducted a test incursion that made the service inaccessible for about 15 minutes.
When the black hats realized they wouldn't get any money the easy way, they unleashed a full-fledged 100Gbps attack targeting ProtonMail upstream providers and data centers. Neither the company nor the hosting ISP was able to withstand such a bandwidth. Therefore the damage was critical. Ultimately, the victim elected to send 15 bitcoins (about $6,000 at the time) to the perpetrators. However, the assault continued regardless and took significant efforts to contain.
Another infamous RDoS campaign zeroed in on high-profile Asian organizations. It started with the Erebus ransomware attack that affected one of South Korea's top hosting providers called, Nayana in June 2017. The malicious program encrypted data on 153 servers belonging to the firm, thus preventing thousands of customers from accessing their records. In order to remediate the damage, Nayana paid a whopping $1 million worth of bitcoins to the extortionists.
The story didn’t end at that point, though. Crooks must have surmised Asian organizations were low-hanging fruit in terms of blackmail, so they started sending RDoS threat emails to large South Korean and Chinese banks. The targets included Shinhan Bank, KEB Hana Bank, and KB Kookmin Bank. The good news was that the threats never materialized into something serious, with a maximum 5-20Gbps attacks being mounted.
One more DDoS campaign was deployed in Germany in April 2017 and stood out from the crowd in several ways. A cybercriminal crew dubbed XMR Squad launched attacks against local businesses and then reached out to company representatives with €250 bills for what they called a DDoS protection system test. The victims included DHL express courier delivery, Aldi Talk mobile operator, and the website of the North Rhine-Westphalia government.
The weird thing was that the adversary first conducted the attacks and sent invoices for the purported network stress test after the fact. Another unusual aspect was that XMR Squad demanded fiat currency (Euros) rather than bitcoins or altcoins, which demonstrated really poor OPSEC.
Ransom DDoS criminals get caught
DDoS doesn't always end well for the crooks themselves. Fortunately, law enforcement agencies are getting better at attributing such attacks to specific people, which has led to the arrests of RDoS operators.
In a successful move by Europol, codenamed Operation Pleiades, authorities arrested members of the DD4BC hacking crew in December 2015. This cybercriminal ring mostly targeted Austrian companies with DDoS-for-ransom onslaughts. The attack would typically start with a relatively small flood of packets followed by a blackmail notification. In case the victim rejected the ransom course of action, the crooks would fire much heftier incursions shortly afterward.
The UK’s Metropolitan Police Cyber Crime Unit chased down the leader of DD4BC and an accomplice. Both were arrested in Bosnia and Herzegovina. Overall, experts from nine countries teamed up for Operation Pleiades to succeed.
One more case of an extortion attempt led to an arrest of an Iranian-born Seattle resident Kamyar Jahanrakhshan in July 2017. The 32-year-old man threatened Leagle.com with DDoS attacks unless the service agreed to remove court documents related to him from their database.
When the organization refused to meet his demands, Jahanrakhshan hired a group of hackers to DDoS it along with a few media companies, including The Metro News, Fairfax Media5, and Canadian Broadcasting Corporation. It was only after Leagle.com removed the court opinion on the suspect from their website that the abnormal IP traffic went down. Ultimately, the extortionist was apprehended. In June 2020, he was sentenced to five years in jail and ordered to pay a $520,000 fine.
How to minimize the ransom DDoS risk
The only viable mechanism for companies to avoid the worst-case scenario when it comes to DDoS extortion is to enhance the durability of their IT infrastructure. This is doable by resorting to a third-party DDoS mitigation service, such as Cloudflare, Arbor Networks, or Akamai. These defenses boil down to distributing traffic floods across thousands of servers and thus absorbing the bulk of their power before they reach the target. And last but not least, do not pay the ransom from the get-go, as most RDoS attacks are empty threats.
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. He runs the MacSecurity.net and Privacy-PC.com projects.