In the last few months ransom attacks have dominated cybercrime headlines.
First, the Colonial Pipeline attack shut down 45% of the fuel supply for the US east coast, triggering panic buying that led to shortages and long lines for gas. Shortly after that was resolved – by a $4.4 million ransom payment, we have since learned – another well-publicized attack threatened food supplies.
These attacks employed ransomware, but it’s not the only dangerously escalating cyberthreat that involves a ransom-for-access demand.
DDoS (distributed denial of service) extortion attacks are escalating as well.
These two types of attacks have much in common. For starters, both now present a greater and faster-growing threat than they did just a few months ago.
Both are motivated by the prospect of a big payday involving extortion. Both rely on cybercurrencies for ransom payments. Both threaten to bring the victimized organization to a standstill. And while successful DDoS extortion attacks have received much less exposure than ransomware attacks, they are every bit as effective in freezing an organization – even sophisticated, well-known financial services providers.
There is one important difference. Ransomware attacks require the cybercrooks to insert malware into a victim’s network. However, DDoS extortion attacks don’t require the bad guys to sneak anything into your network. They’re the cyber-crime equivalent of a mugging; they come out of nowhere.
The first warning you will have of an impending attack is a ransom note, threatening to overwhelm your network with a massive flood of traffic. The cybercrooks typically promise a demonstration attack on a specific IP, subnet or system to show they mean business.
Recently these show-of-force attacks have ranged between 150 and 250 Gbps for an hour or so, long and intense enough to make it frighteningly clear that the bad actors have the capabilities to deliver on their threat – unless you pay the specified ransom.
Question 1: If you receive one of these threats, should you pay the ransom?
It can be tempting. The bad guys promise the payment will end the threat, and there is at least some chance you could get some of it back.
But no, we recommend that you don’t pay, for one important reason: You are inviting future attacks by identifying your organization as a worthwhile target – despite the often-explicit promise of the extortionists to leave you alone.
However, the decision to pay or to not pay needs to be based on your organization’s risk tolerance. No extortion campaign is alike. And, while it is unclear regarding follow-up attacks for Ransom DDoS, we do know that for ransomware, as many as 80% of organizations that paid to end a ransomware attack experienced a subsequent attack, and almost half believed the second attack came from the same source.
Question 2: If you shouldn’t pay the ransom, is there some way to be prepared?
Fortunately, yes. The last time we saw a spike in these attacks, my colleague Matt Wilson wrote an excellent guide to preparing your organization and its digital assets to cope with a DDoS extortion attack. The points he made and steps he outlined all still apply, and it is well worth your time to review.
The key take-away: Have a powerful DDoS mitigation capability readily available for pre-planned, preferably instantaneous deployment. When you are prepared to confidently mitigate even a large or intense DDoS attack, your organization is no longer vulnerable to the threat.
At Neustar, we’ve seen a number of our clients adapt their DDoS strategy in recent months, shifting from on-demand protection to always-on DDoS mitigation. This approach ensures the fastest possible response to any attack that occurs, since your protected traffic is always routed through our mitigation platform.
It’s a sensible approach that can ease your concerns about the threat of DDoS extortion attacks. In fact, these attacks rarely target organizations with an always-on security posture. The cybercrooks are looking for easier targets of opportunity.
Question 3: Do I really need to plan for this?
Yes, you do. DDoS extortion attacks are a serious enough threat to have triggered FBI flash warning MU-000132-DD last August, and after a bit of lull the bad actors have ramped up their activity once again.
The target list for the current wave of attacks includes businesses in an exceptionally broad range of industries:
- Financial services
- Insurance
- Energy
- Manufacturing
- Public utilities
- Retail and ecommerce
- Technology and software
- Travel and hospitality
Given the reach of these attacks, it’s not surprising that a recent survey revealed that more than half of business leaders experienced a DDoS extortion attack in the last year – a staggeringly high percentage. An even higher number — 68% — reported that their organization had weathered a DDoS attack of any kind in the last 12 months.
Our experience confirms these findings. DDoS attacks have increased dramatically in the last year. It’s the result of a confluence of trends, including new patterns of remote access to corporate networks and the migration of more assets to the cloud as a result of digital transformation initiatives.
We’ve summarized the effects of these trends in a recent whitepaper, DDoS Disruption Impacts. It outlines the changing nature of the DDoS threat and explains in detail your options for protecting critical assets wherever they reside.
The critical take-away for dealing with DDoS attacks of any kind – including DDoS extortion attacks – is to make a conscious, informed decision about how your organization will prepare.
Don’t leave it to chance, and don’t hope it won’t happen. Either is a recipe for disaster.