What Is a DDoS Extortion Attack?

With massive disruption from the COVID-19 pandemic forcing businesses and public organizations alike to shift to a work-from-home posture, bad actors seized the opportunity to launched unprecedented numbers of distributed denial-of-service (DDoS) attacks. These attacks included an DDoS extortion attack campaign known as Lazarus Bear Armada, which was launched by a group of bad actors starting in mid-August of 2020.

What Is a DDoS extortion attack?

Also known as ransom DDoS (RDDoS) attacks, DDoS extortion attacks occur when cybercriminals threaten individuals or organizations with a DDoS incursion unless an extortion demand is paid. These demands call for payment in cryptocurrency in order to avoid traceability by law enforcement authorities.

DDoS extortion/RDDoS attacks should not be confused with ransomware attacks, in which malicious software encrypts an organization’s systems and databases, preventing legitimate owners and users from accessing them until the ransom is paid.

What are the signs of a DDoS extortion attack?

Threat actors behind DDoS extortion campaigns use several methods. Some attacks start with a demonstrative DDoS attack that targets a specific element of an organization’s online services/application delivery infrastructure to prove the threat is real. This limited attack is immediately followed up with an extortion note or email threatening that a larger attack will follow if payment is not made.

Other attacks first send an extortion note or email that outlines the threat to the business and sets the extortion demand, payment form, and deadline for payment before the attack is launched. The attackers often claim they have upwards of 3 Tbps of DDoS attack capacity available if demands are not met.

Attackers may not always launch the threatened attacks, and some may not even have the capacity to do so, However, organizations should not rely on the assumption of empty threats. 

DDoS extortion attacks often involve one or more of the following vectors:

• DNS
• NTP
• ARMS
• WS-DD
• SSDP
• CLDAP reflection/amplification
• Spoofed SYN-flooding
• GRE and ESP packet-flooding
• TCP ACK-floods
• TCP reflection/amplification attacks
• IPv4 protocols launching packet-flooding attacks

As is true with all DDoS attacks once initiated, attacks combined with DDoS extortion target an application or service, overwhelming it with attack traffic that ultimately slows or crashes the service completely.

Why are DDoS extortion attacks dangerous?

Like any DDoS attack, a DDoS extortion attack prevents legitimate network requests from getting through, which can disrupt operations, cost money, and harm business reputation. Conventional wisdom states that paying the extortion demand is not advisable because there is no guarantee the attackers won’t return to demand additional payments in the future 

With the exception of those cases in which a demonstration attack takes place first, it is difficult to know whether the threat is legitimate. Attackers may claim affiliation with well-known attack groups that have already received media coverage in order to lend credibility to the attack threat. Because many security professionals have heard of major attacks by groups such as “Armada Collective,” high jacking the name is believed to heighten the urgency of the threat, thus compelling the target to make payment. It’s important to note that copycat threats still may be real.

More often than not, cyberattackers have conducted preattack reconnaissance before issuing their threat. This type of probing looks for weak spots to exploit, such as inadequately protected public-facing applications and services. Sometimes, the attacks target upstream transit providers. By attacking ISPs supplying internet connectivity, attackers can cause targeted organizations to experience significant disruption.

Authorities recommend that organizations not pay the extortion, because there is no guarantee subsequent demands won’t occur. But it is advisable to put strong DDoS mitigation measures in place to prevent attackers from making good on the threat. If the cybercriminals are unable to conduct the attack because of preventive measures, then the threats are essentially neutralized.

Learn more about DDoS attacks