DDoS ransom notes and Bitcoin: why online extortionists love the digital currency
From the small unmarked bills requested by bank robbers to the valuables stuffed into a canvas sack with a giant dollar sign on it beloved by old-timey train robbers, criminals have long had preferences for the way they receive their ill-gotten gains. Just because a great deal of of financial crime has moved online lately doesn’t mean this has changed. Offenders still have their preferences, especially when it comes to DDoS extortion.
Details of DDoS
A DDoS attack is a distributed denial of service attack, an online attack that seeks to overwhelm a targeted website’s bandwidth or network resources and take it offline. A DDoS attack does so using the services of a botnet, which according to DDoS mitigation services provider Imperva Incapsula is a grouping of internet-connected devices that have been hijacked by malware so an attacker or attackers can control the devices without the owners knowing. Botnets are used to create a major influx of malicious traffic that overwhelms the target website’s bandwidth or network resources to accomplish the goal of knocking it offline.
Once upon a time a distributed denial of service attack was something that major corporations and big-time online businesses had to worry about. Like all fairy tales, that one came to an end and a DDoS attack is now a risk for every website from mom and pop shop businesses to Lord of the Rings fan sites.
The extortion angle
One of the main reasons distributed denial of service attacks have become so commonplace and a threat to anyone with an online presence is the propagation of DDoS for hire services, otherwise known as booters or stressers.
Not only is paying a small fee in order to access a botnet and launch a DDoS attack a cheap and easy way for anyone to grind an axe against a competitor or enemy, but it also provides an opportunity for entrepreneurs to make a little extra money by sending a distributed denial of service attack ransom note to a website owner demanding payment in exchange for not launching an attack.
It isn’t just booter and stresser users using ransom notes to earn a little extra cash, however. There are entire cybercriminal organizations basing their businesses on distributed denial of service ransom notes. The group DD4BC – distributed denial for Bitcoin – has been in action since 2016 and even arrests of some of the members haven’t slowed them down.
A recent survey undertaken by Incapsula showed that 46% of distributed denial of service attack victims receive a ransom note prior to the attack. And while organizations are understandably unwilling to admit they have paid a DDoS ransom, groups like DD4BC are obviously garnering a substantial profit, otherwise they probably wouldn’t be willing to risk prison time.
An internet king’s ransom
The ransom payments are often requested in the form of Bitcoin, a digital currency that was created electronically and is held electronically. Users have a Bitcoin wallet from which they can send or receive the currency, and signing up for the wallet doesn’t require the user to provide any personal information. Contrary to popular misconception, Bitcoin is not untraceable. In fact, transaction logs making all transactions visible are permanently stored in the Bitcoin network. However, because Bitcoin does not require personal details, disposable emails can be used for transactions, and users can scramble the user end of the recorded transactions, Bitcoin can be turned into an anonymous payment method. This makes it very appealing for cybercriminals.
A single Bitcoin is currently worth approximately $575 USD, and the ransoms demanded typically range between $575 and $25,000. If these seem like insane sums to pay to avoid a distributed denial of service attack, keep in mind that an unmitigated DDoS attack can cost an organization $40,000 per hour.
Ransom note dos and don’ts
The key to successfully dealing with a distributed denial of service attack is being prepared before you ever even get one. That means having professional DDoS mitigation. If you’re prepared for a DDoS attack you don’t have to care when a ransom note rolls in beyond warning your response team.
If you don’t have protection in place when the note comes in, it isn’t too late to onboard protection. Most ransom note issuers will fire a warning shot along with the ransom note, but this is typically a very small attack that serves to prove the person or people behind the note have the ability to launch an attack. You have time to get protected before the big one.
Regardless of whether you have protection or you don’t, do not reply and do not pay the ransom. Paying up will merely mark your website as an unprotected target, one that can be hit up again and again.
Just as you would have loathed to drop your jewels in a dollar sign bag, you should abhor the idea of sending Bitcoin across the internet to the nameless faceless attackers that get rich off the backs of the unprepared.