There are certain times in a person’s life when it’s important not to be labelled a victim. At school, for instance, when handing over your lunch money once to a boy named Bubba ensures that you’ll be handing it over to this budding businessman every week until you either graduate or your parents agree to let you move.
You may have graduated years ago (or been allowed to move), but the same principle is rearing its head in the latest DDoS attack trend: extortion attempts from major hacker groups. Here’s what you need to know about these DDoS ransom notes, and what you can learn from the way organisations have responded to them.
DDoS damages
A DDoS attack is otherwise known as a distributed denial of service attack. In it, an attacker or attackers will attempt to deny the services of a website (or network or server) to its legitimate users by overwhelming or otherwise interrupting or suspending the services of an internet-connected host.
Not only do DDoS attacks lead to downtime, which is a major no-no in industries like Forex, SaaS or gaming, but they also obviously lead to lost revenue for ecommerce sites. However, the ramifications of a DDoS attack extend far beyond the obvious. Studies have shown that DDoS attacks cause at least one of the following: software damage, hardware damage, loss of consumer trust, and theft of intellectual property, customer data or financial information.
To summarise, a DDoS attack is definitely something you don’t want happening to your website. Perhaps that’s why DDoS-centred extortion attempts seemed like such a nefariously good idea.
The changing face of DDoS extortion attempts
It used to be that ransom notes claiming to have a botnet army ready to take down your website unless you pay a sum of money within a set number of hours could be written off as the work of some bored kids taking a chance at making some easy money. But with major hacker groups like DD4BC getting into the DDoS attack ransom note game, that’s no longer true.
For at least six months DD4BC has been targeting bitcoin and gaming websites, and they’re now hitting the payment industry with their DDoS extortion attempts. According to Incapsula DDoS specialists, the hallmarks of a DD4BC attack are an email introducing the group, making the DDoS threat, and requesting a payment in Bitcoin. This email is accompanied by a small demonstrative DDoS attack so the target knows the threat is serious.
The email threatens a UDP flood between 400 and 500 Gbps. This would be a tremendous DDoS attack, indeed. According to Incapsula, one observed DD4BC attacks has actually amounted to a small application layer attack peaking around 150 requests per second, coupled with a medium-sized network layer attack maxing out around 40 Gbps.
Results not as expected
Some of these extortion attempts have to be successful. They must be, or DD4BC wouldn’t continue on with them. But DD4BC’s road to infamy hasn’t exactly been paved in Bitcoin. DD4BC have been targeting industries that seem as though they would be reticent to go to the authorities, but it turns out there’s more than one way to strike back at would-be extortionists.
In November of 2014, a Bitcoin exchange named Bitalo decided to not only go public with the ransom note they received, but they also plunked a hefty bounty on DD4BC’s heads. A few months later another Bitcoin company, Bitmain, contributed to the bounty as well after receiving their own extortion attempt.
Responses have ranged from the bounty contributions by these Bitcoin companies to the public DDoS battle by meetup.com to a Bitcoin company that took to Reddit to give away BTC to strangers instead of paying the ransom demand. By refusing to capitulate, these companies have taken both profit and power away from attackers.
Give in, and pay the price
What these companies have done is exactly what your company needs to do if faced with a DDoS ransom note. While you may not be in the position to put up a major bounty, or even get any press for your plight, the most important thing you can do is not give in to the ransom demand. Doing so will not only ensure that you are out the ransom money, but also that your website is forever included on a list of websites that don’t have DDoS protection, leaving you open to future extortion attempts.
However, before you can go ignoring a ransom demand or boldly informing your customers and the public that you’ve been targeted and refuse to give in, you have to make sure you have professional DDoS protection. While DD4BC’s attacks aren’t as powerful as they threaten, they’re still enough to take down a small to medium-sized website and do some real damage.
Furthermore, DDoS attacks come in all shapes and sizes and for all kinds of reasons. Even if you’re never targeted by a ransom demand, you could still very well be hit with a tremendously damaging attack. Better safe than sorry, and better safe than paying a ransom demand to a hacker group. They don’t deserve your hard-earned money any more than Bubba did in the seventh grade.