Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
A Ransom DDoS attack (RDDoS) is a situation in which cyber attackers attempt to extort money from an organisation or institution by using a DDoS attack as blackmail. Cyber attackers carry out DDoS attacks against many companies. In recent years, we have seen them making these attacks persistent and leaving a note demanding a ransom to stop the attack.
These types of attacks cause the corporate network to go offline and cut off communication with the outside world for extended periods. It should not be forgotten that even a few seconds of downtime in critical sectors will lead to significant financial losses. The best defence against DDoS attacks that culminate in ransom demands is to obtain a DDoS mitigation/protection service. This service can be obtained from ISPs, or DDoS mitigation or blocking systems such as Cloudflare can also be used.
Most Ransom DDoS attacks begin with a ransom note indicating that the attacker is threatening a business or organisation. The note is delivered first, followed by a demonstration of the attack’s power with the aim of forcing the organisation to comply.
In some cases, we also see the attacker launching a small demonstration attack before sending the ransom note in order to show they are serious. After this brief DDoS attack, the ransom note is sent along with a show of force, with the aim of causing the organisation to panic and make the ransom payment.
In the first phase, the cyber attacker begins sending attack traffic to the target. They generally use botnets to carry out the attack. We can also say that in order for the attacks to be effective, they target the third, fourth, or seventh layers of the OSI model.
In the second phase, the victim servers overwhelmed by attack traffic begin to slow down or crash entirely. In some cases, we also see network devices or security devices starting to fail before the servers themselves.
In the third phase, the attacker continues to exhaust the target system’s resources, and the targeted organisation’s communications will remain cut off for as long as the attack continues. Various measures and precautions can of course be attempted on the organisation’s side to try mitigation methods. Rate limiting, IP blocking, blackhole routing, or obtaining services from third-party companies come into play at this point. However, trying to stop or mitigate an attack once it has started is a difficult process.
In the final phase, we see the cyber attacker sending payment demands, renewing them, or continuing their extortion.
A DDoS ransom note contains the blackmail information delivered by cyber attackers to the targeted organisation. It contains messages from the cyber attackers demanding payment from the organisation.
Generally, these ransom notes are sent from newly created, single-use email addresses. Sometimes attackers may send multiple messages with more details about their ransom demands. There have even been cases where messages were sent explaining how to defend against such attacks.
In the threat and blackmail messages delivered, we also see cyber attackers claiming they are capable of launching cyber attacks with 3 Tbps capacity within 24 or 48 hours.
However, this is not always true, and the cyber attacker may not actually have the capacity or resources to carry out a DDoS attack of that scale.
In some cases, cyber attackers may claim to be members of well-known hacker groups or to be carrying out the attack on behalf of such groups. We should not forget that many of these claims are false and that these groups’ names may be invoked purely for intimidation purposes. However, we would like to note that there is a small possibility, as we mentioned above, that such claims could be genuine. It is impossible to verify whether the attacker is an impersonator or whether what they are saying is true.
Ransom notes generally contain blackmail messages, but also typically include instructions for making the payment — usually in a cryptocurrency such as Bitcoin — along with a deadline and warnings about what will happen if payment is not made. The best course of action when facing a Ransom DDoS attack is to engage a specialist DDoS mitigation provider and, where appropriate, to report the incident to law enforcement rather than paying the ransom, as payment does not guarantee that the attack will stop and may encourage further demands.
You May Be Interested In These
