Five Similarities Between DDoS Extortion and Ransomware Attacks — and One Big Difference

Five Similarities Between DDoS and Ransomware Attacks—and One Big Difference
Carol Hildebrand

With a global pandemic raging, it is difficult to overstate the importance of a solid and reliable healthcare system—which makes it a perfect target for cybercriminals. Federal authorities have announced that malicious threat actors are using Trickbot malware to target hospitals and healthcare providers, “often leading to ransomware attacks, data theft, and the disruption of healthcare services.” That campaign is not alone, however. The global Lazarus Bear Armada (LBA) DDoS extortion campaign that began in September has also expanded to include healthcare providers. 

The attackers use different methods in their campaigns: ransomware versus extorting targets with threats of DDoS attack. But despite that, there are common threads—and one big difference. Let’s take a look:

  1. Both groups are motivated by money. The ransomware attackers use Trickbot malware both for data theft and to deploy Ryuk ransomware; for them, the payoff lies in getting their victims to pay for the decryption key to unlock their files. The LBA extortionists, on the other hand, launch a DDoS attack and follow up demands for payments to avoid a second attack that will crash the victim’s network/services. Different tactics, same goal.
  2. Attack frequency for both is on the rise—especially during the pandemic. DDoS attack frequency only knows one direction—up. The pandemic added rocket fuel to that trend, as data from the the latest NETSCOUT Threat Intelligence Report shows that during the shutdown, the world was hit by the single largest number of monthly attacks we’ve ever seen—929,000 DDoS attacks in May alone. Indeed, DDoS attack frequency jumped 25 percent during the pandemic lockdown months of March through June. Tracking the number of ransomware attacks is difficult, but if insurance claims are any indication, ransomware incidents have accounted for 41 percent of cyber insurance claims filed in the first half of 2020, according to a recent report from Coalition, one of the largest providers of cyber insurance services in North America.
  3. Both methods have the same Mitre Attack Map Impact of Availability. Adversaries may perform endpoint or network Denial of Service (DoS) attacks to degrade or block the availability of services or resources to users. Ransomware attackers, however, encrypt data on target systems or on large numbers of systems in a network to interrupt  availability to system and network resources.
  4. Both have readily available attack toolkits. In short, it’s easy to get started. On the ransomware side, interested parties can easily access affiliate programs to buy multiple ransomware malware families, each with publicly available source code. There is even an ample supply of online tutorials and how-to guides to teach them how to use these new purchases. The DDoS business model has a similarly low bar to entry, as DDoS-for-Hire and Booter/Stresser Services are readily available and very inexpensive. Moreover, attackers can exploit an ever-growing population of attack vectors.
  5. Both look for unprepared targets. With ransomware, adversaries take advantage of organizations that lack adequate data backup, network segmentation, and recovery programs. DDoS attackers, on the other hand, want to find companies with an inadequate DDoS protection plan.

One Big Difference

The big difference between the two lies in a company’s ability to control its fate.

If ransomware attackers successfully exploit inadequate data backups and restoration procedures, there’s not much a company can do once infected other than pay the attackers and trust they will provide the decryption key—if one is even available. 

With a DDoS attack on the other hand, there is always a recovery in sight. You don’t need to trust the attacker. Companies with adequate internal/external resources that use modern-day DDoS protection products and services have far more control over the outcome. And in a world where so little feels in control, now is the time to take control of your DDoS attack plan.


NETSCOUT Arbor Edge Defense (AED) enterprise security products detect and block Trickbot activity using our ATLAS Threat intelligence. AED also automatically stops all types of inbound DDoS attacks, including the many vectors of the LBA DDoS extortion attacks.

AED’s position outside the firewall also allows it to act as a last line of defense by automatically detecting and blocking command and control (C2) communication from compromised internal devices. In the case of the ransomware that is targeting healthcare organizations, AED can detect and block the communication to Trickbot C2 infrastructure, which is a common distribution method according to the federal advisory. Blocking the source of distribution is just one step organizations can take to prevent the installation of ransomware such as Ryuk.

In the past six months, we have seen 57 customers impacted by Trickbot in verticals ranging from healthcare to telecommunications, academia, retail, and finance. This is several million beacons to known command and control (C2) nodes.

Find out more about smart, automated perimeter defense.