A group that calls itself Phantom Squad has launched an email-based ransomware DDoS (RDoS) extortion campaign against thousands of companies across the globe in the past week. They are threatening to launch DDoS attacks on their target victims on September 30 unless each victim pays about $700 in bitcoin. Fortunately, it appears this is only a group of extortionists making idle threats. Security experts predict that this group’s bark is worse than its bite; i.e., they doubt that Phantom Group has the technical power to actually launch multiple DDoS attacks on various targets. Unfortunately, there are hackers out there who do real damage by installing ransomware and launching a DDoS attack, and such attacks are becoming all too common.
DDoS and ransomware attacks often go hand in hand, and they can take two forms: 1) a threat of DDoS unless the victim pays the extortion fee or 2) a DDoS attack that precedes the ransomware installation. In most cases, it is the latter. A short, sub-saturating DDoS attack, which usually lasts less than five minutes, can serve as a smokescreen that distracts IT security staff from a more dangerous infiltration of the network. While IT staff scramble to troubleshoot “noise” on the network, hackers can find pathways and test for vulnerabilities within a network which can later be exploited through other techniques. They can subtly take down a firewall and install malware that may “sleep” on the network until it is remotely activated. Also, some low-threshold DDoS attacks go completely unnoticed by IT security staff.
If your company is unlucky enough to be the target of an RDoS attack here are some basic rules to follow:
- Don’t pay the ransom. You can’t trust that hackers will honor their word and not launch a DDoS attack on you. Furthermore, by rewarding the hacker’s bad behavior you would be encouraging it; they (or other cyber criminals) are likely to hit you a second time in the future, or to hit another company.
- Report the incident to local law enforcement.
- Patch software, firmware and operating systems.
- Train your employees to know how to avoid cyber threats such as phishing emails.
- Take a proactive stance to prevent the threat of a future DDoS attack. Automated DDoS mitigation technology can instantly detect and block DDoS attacks, without blocking any of the good traffic, giving your company peace of mind.
Some of Corero’s customers have experienced cyber extortion attempts and, in cases where the hackers did launch a DDoS attack against their network after our customer did not pay a ransom, the Corero SmartWall® Threat Defense System held strong and fended off the attacks.
For more information, contact us.
At last week’s CLOUDSEC 2017 conference, Corero CEO Ashley Stephenson spoke to attendees about the importance of mitigating the “everyday” small-scale distributed denial of service (DDoS) attacks that are pervasive and harmful to global businesses. Although massive volumetric attacks continue to make headline news, and such attacks are likely to get even more massive in scale, it is the short, frequent, low-threshold DDoS attacks that commonly affect businesses.
In our recent 2017 DDoS trends report, Corero found that fully 80% of DDoS attacks among our customers are less than 1Gbps in size, and 71% of attacks last less than 10 minutes. Simultaneously, we found that slightly larger (not massive, however) attacks in the realm of 10Gbps comprised only 1.7% of all attacks.
The prevalence of low-threshold, sub-saturating attacks should warrant just as much concern as volumetric attacks. After all, it is not as if hackers cannot launch large-scale attacks, but rather that they choose to launch smaller attacks because smaller attacks often go undetected, and often serve as a smokescreen for more damaging cyberattacks. A small DDoS attack can take down a company’s firewall in a matter of seconds, thus enabling the hacker to infiltrate and map a company’s network, possibly installing malware. Even if the hacker does not infiltrate the network, the DDoS traffic creates “noise” on the network, thus degrading service and performance. For Internet service providers and hosting providers this is a major concern, because the sub-saturating attacks steal bandwidth; any DDoS traffic traversing their network is costly in terms of their network infrastructure resources and maintenance.
Small attacks are usually unnoticed—and therefore, not blocked—by cloud-based DDoS scrubbing solutions. If the IT security staff does notice a small attack, it takes several minutes to swing the traffic out to a scrubbing service. In contrast, Corero’s automated DDoS protection solution detects such low-threshold attacks immediately, and blocks them in less than 1 second.
To see Stephenson’s slide presentation from CLOUDSEC 2017, click here.
Corero has been a leader in DDoS protection for several years; to learn more about how we can protect your business, contact us.
Enterprises need to consider that even if they have protection against distributed denial of service (DDoS) attacks, their business could be taken offline if their Internet Service Provider (ISP), hosting provider or Domain Name Service (DNS) provider does not have adequate DDoS protection. ISPs and hosting providers are attractive DDoS targets for hackers, because the impacts are far-ranging; think of it in terms of hitting several birds with one stone. That’s why it’s crucial to do your research when it comes to choosing your providers.
Direct vs. Indirect Hits
Hackers sometimes target a hosting provider or ISP directly, as was the case a couple of weeks ago in late August, when DreamHost was directly hit by a DDoS attack, resulting in several hours of downtime for its customers. Another example of a direct hit was in October 2016, when the Domain Name Service provider Dyn suffered a mega DDoS attack. Both incidents show that an attack on an Internet gateway can spell trouble for any of its customers downstream; and there are many more such examples. The volumetric attacks make headlines and raise eyebrows, however, many providers experience several low-threshold DDoS attacks each day. Even if hackers launch a low-threshold attack on a provider, it can result in network “noise” and degraded service for downstream customers.
Even an indirect hit; i.e., an attack on one of a hosting provider’s enterprise customers, can cause collateral damage to other customers using the service. If a hacker succeeds in launching a several-hundred-gigabit DDoS attack to take a website offline, it will almost certainly affect customers who co-reside or are reliant on the infrastructure transporting the attack; that’s collateral damage.
As part of their service level agreements (SLAs), many hosting providers offer 99.9% (or even 99.999%) uptime. However, even 1% downtime can dramatically affect a business. In the event of downtime, some providers offer a compensation, such as a credit to the customer’s account, usually a percentage of the monthly fee. However, that credit might not outweigh the downtime cost to the tenant; if a business website is down, that usually means that clients or customers can’t find the business online or access its products/services. This usually results in loss of revenue, and damage to brand/reputation.
Be aware that not all ISPs and hosting providers are equal when it comes to DDoS protection. When shopping for a 3rd party ISP or hosting service, ask the right questions. Ask if they have a dedicated, in-line automated DDoS mitigation appliance at the peering and transit points that blocks all DDoS traffic from entering their network. Corero technology enables real-time, algorithmic identification of network anomalies and subsequent mitigation of the attack traffic, eliminating the DDoS attacks before they can traverse the network and impact downstream customers. Also ask whether they offer DDoS Protection Services (increasingly, many of them do offer this service, either as a value-added service or for a premium.)
For more information, contact us.
Late last week America’s Cardroom’s Winning Poker Network (WPN), a major online gaming site, was hit with a ransom denial of service (RDoS) attack that lasted a few days. This was not the first DDoS attack that the company experienced; actually, it was the fourth such attack since 2014. Incidents like this are prime examples of how DDoS attacks result in loss of revenue and customer trust; the company was forced to temporarily cancel all its tournaments and issue refunds.
The gaming industry is frequently targeted by DDoS attacks, in part because they do such damage to a gaming company’s bottom line and reputation. Timing is critical in online gaming, so it makes sense that gamers don’t like website latency. Unhappy gamers easily take their gaming or gambling money elsewhere. It’s no surprise that the hackers demanded ransom from WPN in exchange for ceasing the attack; a DDoS attack is powerful leverage. However, the WPN CEO was wise to not cave in to the hacker’s criminal demand, since that would have only rewarded the hacker’s bad behavior and encouraged that hacker or other hackers to follow suit (pun intended).
To prevent such future DDoS or RDoS attacks, WPN should “up the ante” in terms of its DDoS protection. Now more than ever, DDoS protection is affordable, scalable and flexible. Companies have the choice of hosting a DDoS protection appliance on-premises, or a hybrid approach that combines an appliance with a cloud scrubbing solution or outsourced protection via their Internet Service Provider or Hosting Provider. Modern DDoS protection services are a game-changing opportunity for the gaming industry. After four bouts with DDoS hackers, WPN can certainly find a solution that solves its problem; you can bet on that.
For more information, contact us.
It is well-known that hackers can enslave IOT-connected devices into a botnet, but this week the news broke that 300 apps from the Google Play Store were infected with malware that would allow Android phones to be recruited into a botnet. The botnets would conceivably be tapped to launch a distributed denial of service (DDoS) attack.
According to Mashable, the latest online threat is called “WireX” and it targeted Android phones. Google responded quickly by identifying and removing the compromised apps, but conservative estimates put the number of infected Android systems at 70,000. Considering that there are millions of other IoT devices that are not secure, it’s easy to understand why this is bad news for IT security professionals. There is an abundance of vulnerable devices for hackers to leverage into DDoS attacks, and it doesn’t take many bots to launch a low-level or even average DDoS attack (the infamous DDoS attack on Dyn involved 100,000 botnets).
It is widely known that IoT devices can easily be recruited into botnets if the end-users do not change the default passwords. And, it’s not surprising that hackers found a new conduit for their hijinks; it’s difficult to stay one step ahead of hacker strategies. What is slightly surprising is that the Google Play apps were not secure. This is a new responsibility for end-users; they should protect their devices by installing security patches and changing the default password (which many end-users fail to do). With this new hacking development, now consumers cannot trust that an app they downloaded is safe. IT security experts are concerned that copycat hackers will try to infect other Android apps with malware.
The key takeaways from this story are as follows: 1) hackers continue to be creative in their methods of creating botnets; 2) even supposedly secure phones and apps can be vulnerable to being enslaved into botnets; and 3) with so many IoT-connected devices that have been recruited into botnets, DDoS attacks are not going away anytime soon. DDoS attacks are increasing in frequency and sophistication, so organizations of all types should make DDoS protection a fundamental part of their cybersecurity practices.
Corero is the leader in real-time DDoS defense, if you need expert advice, contact us.
In recent weeks, cyber attackers have become even more interested in extorting money from organizations by threatening to organize a DDoS attack on critically important online systems.
These include a hacker group calling itself ANX-Rans that tried to extort a French company, as well as a group called CyberTeam that tried to extract a ransom payment of 5 Bitcoin ($20,000) from Abuse.ch, the website of a prominent Swiss security researcher. These incidents come as no surprise as ransom-related Denial of Service attacks (RDoS) have been on the rise since mid-June after a South Korean hosting provider paid a ransom of nearly $1 million after web ransomware encrypted its customer servers.
Unfortunately when even one, high-profile victim decides to engage with attackers by paying a ransom, we tend to see an increase in these types of attacks. RDoS attacks have grown in volume as cyber criminals are constantly on the lookout for more efficient methods to attack systems and obtain profits. When faced with the costs of their businesses going offline if a successful DDoS attack is launched against them, some organisations may believe that paying a ransom demand represents good value for money. But this is playing with fire, and offers no guarantee that an attack will not be launched. Thus, it’s important to highlight the danger these attacks pose to businesses and learn how to build a successful defence against them.Ransom-Driven DDoS Attacks
In a RDoS attack, cyber criminals send a message threatening to carry out a distributed denial of service (DDos) attack, or infect organization’s operational systems with ransomware, unless a ransom is paid by a certain deadline. Many hackers are motivated by the potential for financial gain and the ease at which such attacks can be performed. Indeed, extortion is one of the oldest tricks in the criminal’s book, and one of the easiest ways for today’s hackers to turn a profit. These attacks have become so common that according to a 2016 study, we found that 80 percent of European IT security professionals expect their business to be threatened with a DDoS ransom attack during the next 12 months.
When service availability is threatened, the victim company is facing costly implications including revenue and reputation loss. Thus, it is not surprising that almost half of IT security professionals (43%) that took part in our study thought that it was possible that their organization might pay such a ransom demand in the hope of circumventing an attack.How to Deal with DDoS Ransom Threats
Unfortunately, most cyber security solutions focus on recovery from criminal extortion attacks, rather than preventing one. But, DDoS mitigation solutions have evolved, and become more affordable, for companies of all sizes. This means that companies now have choices in their type of DDoS protection, and they must find a solution that is cost-effective for them. Enterprises should take a more proactive stance when it comes to preventing ransom-related attacks, and one way they can do that is by installing DDoS protection hardware that detects and blocks even the smallest of DDoS attacks, 24x7. Only then can IT security teams have comprehensive visibility into network incursions.
To find out more, contact us.