How do you respond to a DDoS Extortion Attack?

Practical steps for fending off a DDoS extortion scheme and avoiding disruption to vital systems

What to Do if You Are Threatened with a Ransom DDoS Attack

Distributed denial-of-service (DDoS) attacks, which are designed to overwhelm and disable critical network systems of the targeted organization, were launched in record-breaking numbers in 2020. For the first time in history, the annual number of DDoS attacks crossed the 10 million threshold, with NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT) observing 10,089,687 attacks over the course of the year. That’s nearly 1.6 million more attacks than 2019’s count of 8.5 million

The other notable DDoS activity of 2020 started in mid-August, as a relatively prolific threat actor initiated the Lazarus Bear Armada (LBA) global campaign of DDoS extortion attacks, also known as ransom DDoS or RDDoS. In this type of attack, cybercriminals threaten to launch a DDoS attack if a ransom demand is not met within a set time period. Sometimes, the attackers will initiate a demonstration DDoS attack against specific elements of an organization’s online services/application delivery infrastructure to show they mean business.

DDoS extortion attacks are on the rise and raise the risk profile for organizations that are not prepared. Because such an attack can cripple online applications and services, it is best to protect vital assets by putting measures in place prior to a threatened attack. Law enforcement authorities and security experts advise against paying the ransom. Instead, money is better spent on putting a strong DDoS mitigation service in place.

How to Protect Against DDoS Extortion Attacks

Most DDoS attack vectors and targeting techniques are well-known, which means organizations can prevent an attack by using established DDoS countermeasures and protections. Again, it is best to institute mitigation measures before a threat occurs.

The following steps are recommended:

  • Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural, and operational best current practices (BCPs) have been implemented, including situationally specific network access policies that permit internet traffic only via required IP protocols and ports. Internet access to network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.
  • Critical supporting ancillary services, such as authoritative DNS, should also be designed, deployed, and operated in a manner consistent with all relevant BCPs.
  • Upon receipt of any demands for DDoS extortion payments, targeted organizations should immediately engage with their peers/transit ISPs, other organizations providing critical internet-facing services (such as authoritative DNS hosts), and situationally appropriate law enforcement organizations. They should ensure that their DDoS defense plans are activated and validated, and maintain a vigilant alert posture. 
  • It also is important to conduct periodic testing of DDoS defenses to ensure that any changes to an organization’s servers/services/applications are incorporated into its defense plan. Organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services to ensure maximal responsiveness and flexibility during an attack.
  • Organizations should familiarize themselves with the particulars of previous high-profile DDoS extortion campaigns to better prepare for future threats. 

As the old saying goes, an ounce of prevention is worth a pound of cure.

Learn more about Distributed denial-of-service (DDoS) attacks