agsandrew - Fotolia
Extortion tactics have expanded beyond the ransomware attacks that popularized them.
In a research paper Tuesday, Akamai Technologies detailed an increase in sizable DDoS activity throughout 2020, which included a shift to monetary motivations and a rise in extortion-based attacks. According to the research, 2020 also saw record-breaking attacks that reached 1.44 Tbps and 809 Mpps attacks against a European bank and an internet hosting customer, respectively.
While the year kicked off with a steady number of large attacks, DDoS activity really started to skyrocket when COVID-19 hit Europe and the United States, forcing almost all aspects of life online. Not only did the threat actors behind these DDoS attacks turn to extortion campaigns, they also broadened the scope of potential targets, which Akamai said is a foreshadowing of the future.
According to the research, activity spiked toward the end of the summer when Akamai began to observe extortion-related DDoS campaigns, "quickly exploding to the largest of their kind." Those campaigns were made by threat actors claiming to belong to advanced persistent threat groups known as Fancy Bear and Armada Collective, and they used extortion demands similar to those used by DDoS ransom groups in the past. The actors sent a threatening email, warning of an impending DDoS attack unless a Bitcoin ransom was paid. However, significant differences raised new concerns.
"Unlike previous events from years past, where there as a lot of talk and not a lot of action. This campaign featured show-of-force attacks upward of 500 Gbps -- a sign the criminals were very determined and highly capable of causing business-impacting disruption," Akamai wrote.
Additionally, the level of reconnaissance conducted by the attackers prior to sending the extortion letters also increased. "The bad actors were highly targeted in their threats and wanted victims to know that they had uncovered specific weaknesses across internet-facing infrastructure or had identified revenue-impacting IPs that would be taken offline unless their Bitcoin extortion demands were met," Akamai wrote.
Not only were victims highly targeted, Akamai also observed a big increase in attacks targeting verticals that have not seen as much activity of late. "7 of 11 of the industries we track seeing peak attack counts in 2020," Akamai wrote. "This was led by huge jumps in Business Services (960%), Education (180%), Financial Services (190%), Retail & Consumer Goods (445%), and Software & Tech (196%)."
According to Roger Barranco, vice president of global security operations at Akamai, the threat actors behind DDoS attacks in 2020 did a much better job of researching their victim and figuring out what parts of their infrastructure they should attack.
"It is one of the first times we've seen them go after things other than services," he said. "What I mean by services is their website, transaction site, or their mail server. This time, they were also going after buildings, for example, to knock a building offline. It's an example of something attackers are going to look at for the future for sure. If I can't hurt the enterprise, I'm going to hurt the workers who are trying to reach it."
While ransomware gangs took blackmail to new levels by popularizing the name-and-shame tactic, extortion-related attacks have always been around. However, they spiked in the last year, Barranco said. When comparing ransomware and extortion-based DDoS attacks, there are differences, but one similarity is that paying can attract more attacks.
"It costs the bad actor money to launch these attacks. They're using tools. So, the only reason they're going to continue with that is if they are actually getting paid. That's why when I talk to customers, I say 'don't pay'. It's part of a problem because you're maintaining their revenue scheme when you do that."
One difference between the DDoS attack trends of 2020 with previous years was how they were implemented, which contributed to the spike in the overall number of attacks.
"They followed through in the beginning almost every time with at least two attacks," Barranco said. "The test attack to say 'hey, I'm real', and then the follow-up, much larger attack. In the past, we'd always get the threat and frequently they didn't follow through."
Barranco told SearchSecurity that specific to the extortion campaigns, this is a shotgun approach.
"It started off pretty focused. They went through the different areas and they hit several organizations within that vertical, but overtime it became just a shotgun blast of just going after everybody and anybody they can send those letters to basically, or these emails, however they communicate."
The DDoS extortion trend has continued into 2021 and is ongoing. "And these are big entities, not small organizations that are getting hit," Barranco said. However, he said there is good news as it does not hold the same level of intensity as last year.
Emsisoft analyst Brett Callow told SearchSecurity that it's impossible to say whether combining ransomware and DDoS attacks will improve actors' conversion rates.
"In isolation, most companies probably wouldn't pay to stop a DDoS attack. However, when it's combined with other extortion efforts -- data encryption and theft, executive blackmail, media campaigns, etc. -- some companies may decide that payment is the easiest option," he said in an email to SearchSecurity. "In other words, the DDoS attack could be the straw that broke the camel's back."
If DDoS works, Callow said, other groups will invariably jump on the bandwagon. And unfortunately, protection against these attacks may be futile.
"At the end of the day with these larger DDoS attacks, there's absolutely nothing you can do in your infrastructure," Barranco said. "I don't care how big the box is that you buy, or how trained your team is, you can only solve this problem up in the cloud to knock the attack down before it reaches you."