DDoS attacks are still a key weapon for corporate extortion

Given all the editorial space devoted to ransomware over the past couple of years, you might be forgiven for thinking that other cyber security threats have gone away. While it’s true that organised criminals have focussed attention and resources on ransomware attacks, as these have proven to be the most profitable, it’s far from the whole picture. Viewed through the lens of extortion – and that’s what ransomware is – it’s easy to see the looming presence of other threats.

Take distributed denial of service (DDoS), for example. DDoS attacks have become part and parcel of many ransomware ones, courtesy of the more advanced ransomware groups providing their affiliates with the ability to execute them directly from the “dashboard” software they have access to. In a ransomware attack, DDoS is used as just another twist of the leverage knife to “encourage” victims to pay up quickly.

Adding insult to injury

Outside of ransomware, DDoS attacks have continued as a standalone method of either causing corporate pain (for hacktivism purposes, petty revenge, or even competitive advantage) or good old-fashioned extortion. These attacks are being facilitated, for the most part, by the growth in the subleasing of botnet-driven “stressers” in a DDoS-for-hire scenario. Criminals, with offerings marketed and sold through dark web marketplaces and sometimes in plain sight on the web itself, will rent access to their botnets of malware-infested zombie devices at a given rate; a surprisingly low rate at that.

An attack on an unprotected site letting loose 10-50K requests per second will cost as little as $50 for the day, according to the 2021 Dark Web Price Index published by Privacy Affairs. A premium protected site, upping the attack rate slightly and including multiple “elite” proxies, comes in at just $200 a day. Obviously, there’s a huge variation in both rental costs and attack quality, for want of a better phrase, and sustained high-rate attacks against large corporations can command many thousands of dollars an hour.

The point is DDoS attacks have become increasingly accessible to would-be attackers. And all of that is without considering criminal groups with access to botnets of their own that have the capability to launch a devastating attack.

Towards the end of last year, several VoIP operators were cripped with outages as a result of ransomware attacks, including Voipfone UK which fell victim at the end of October. A service update announcement from the company called this an “extortion-based DDoS attack from overseas criminals”.

It’s likely these incidents are linked, which was essentially confirmed by the Comms Council UK (formerly known as ITSPA) whose chair, Eli Katz, released a statement. “Several Comms Council UK members and international IP-based communications service providers have been subjected to Distributed Denial of Service (DDoS) attacks over the past four weeks which appear to be part of a coordinated extortion-focused international campaign by professional cyber criminal,” he said. “We are liaising closely with the UK Government, National Cyber Security Centre, Ofcom and international agencies to share information and details about the nature of the attacks in the expectation of halting this criminal activity as quickly as possible.”

Mitigating the worst effects

These attacks, which had been occurring for some months, have been cautiously attributed to REvil, a criminal organisation renowned for its devastating ransomware attacks. According to my sources, the extortion demands have been in the region of one Bitcoin – so that’s anywhere between £40,000 and £50,000 depending on wind direction. Not a bad chunk of change, but certainly a lot less than your average successful ransomware attack can command. Political and law-enforcement pressure might just be causing a shift in focus for some gangs looking to continue making money while escaping some of that heat.

Here’s what Brian Higgins, a security specialist at Comparitech, had to say. “The VoIP service providers currently under attack have clearly taken the best approach by informing and liaising with the relevant authorities, whilst it may take some time to resolve the issue, their customers should be patient and observant, follow any advice provided, and be confident that this approach will make the sector a much less attractive target in the future.” Which probably comes as cold comfort to those impacted, of course.

There is some impact mitigation for some organisations, in that they will already have a fallback in place by employing two different providers. Not that I’m suggesting that VOIP services are prone to failure (well, okay, maybe I am, at least as far as proper implementation of least-cost routing is concerned). The point, however, is that fail-safes should be seen as a given if your company relies on any given service for business continuity, and telephony is no different.

The VoIP providers, meanwhile, like any other organisation, should consider the best moves to mitigate future attacks using dedicated services that monitor, in real-time, network traffic to identify and respond to DDoS traffic in whatever form it takes. Most often this would be by “scrubbing”, which diverts the attack traffic, on-demand, to a centre that removes the bad stuff and reroutes “clean” traffic back where it belongs. These services don’t come cheap, especially if an attack is high-volume and long-lasting, but neither does falling victim and your business being taken offline for hours, or days, at a time. The attackers know this and that’s why, for now, DDoS is a threat you can’t afford to ignore.