CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
Ransom Distributed Denial-of-Service (RDDoS) attacks are extortion-based DDoS attacks* that are motivated by financial gain:
- Cybercriminals typically send a ransom note threatening to launch DDoS attacks, unless a ransom is paid by the given deadline.
- On occasion, to validate and give credibility to their threat, demonstrative DDoS attacks are launched by the threat actors against the victim before or after sending the ransom note.
This edition of CyberSense takes a closer look at the evolution of RDDoS attacks, and major RDDoS incidents that have occurred recently.
* In a Distributed Denial-of-Service attack, an attacker takes unauthorised control of multiple computers, which may be harnessed as a botnet to launch a DoS attack.
A BRIEF HISTORY OF RDDoS ATTACKS
RDDoS attacks have existed since the late 1990s. [1,2,3] During this period, organisations were chiefly concerned about how RDDoS attacks on their websites translated to lost business opportunities, as customers would be driven to competitors’ websites instead. While such attacks were common, their impact against businesses was relatively minor – given that most of these still functioned offline at that time. However, there were online bookmakers in the UK which reportedly suffered huge losses in revenue after they were brought down by RDDoS attacks. 
The complexion of RDDoS attacks changed dramatically in mid-2014, when a cybercriminal group DD4BC (or “DDoS for Bitcoin”), showing a high level of technical competence and cryptocurrency know-how, started to carry out RDDoS attacks on a prolific scale. Initially targeting organisations in the online gambling industry and Bitcoin exchanges, DD4BC’s cyber operations expanded to include companies in the financial, entertainment, and energy sectors, including several high-profile corporations.  DD4BC’s modus operandi typically involved launching small-scale DDoS attacks against their victims’ websites for up to an hour, and then sending ransom notes threatening longer and more powerful attacks unless Bitcoin ransoms, ranging between the equivalent of about US$200 and US$25,000, were paid within a day. Follow-up ransom notes with threats of another larger DDoS attack and higher ransom demands were subsequently sent to victims who didn’t respond to payment and were perceived to be taking defensive measures. These were also accompanied by waves of small-scale DDoS attacks that sometimes lasted several days. If the DDoS attacks had been thwarted successfully by victims, DD4BC would give up and move on to new targets.
Figure 1: An example of a ransom note sent by DD4BC to a victim
From late 2015, DD4BC further threatened to expose the identities of victims who didn’t pay ransoms on social media in order to damage their reputations.  This shift in DD4BC’s tactics helped to enhance DD4BC’s credibility in carrying out its threats and disrupting its victim’s business operations. By the time two DD4BC members were arrested in January 2016 by several European law enforcement agencies including Europol, more than 140 companies and organisations had been attacked by DD4BC,  with some of the DDoS attacks measuring up to 50 gigabits per second (Gbps) at peak volume.
SUCCESS BREEDS CONTEMPT AND COPYCATS
Although there were no confirmed cases of companies yielding to DD4BC’s demands, research conducted by various cybersecurity vendors on Bitcoin’s public ledger suggested that many victims did pay ransoms. These were likely steady enough to make DD4BC’s operations sustainable and profitable, while DDoS-for-hire botnets could also have been leased cheaply from the Dark Web, thus providing DD4BC an attractive return on their investments.  DD4BC’s business model and the low barriers to entry for threat actors to carry out DDoS attacks have subsequently spawned copycat groups that employed DD4BC’s tactics for their RDDoS operations over the years to come. Some of these also impersonated infamous hacking groups in their RDDoS campaigns. This is most likely to bank on the notoriety of such hacking groups to scare victims into making payment and lend credibility to their threats, and at the same time to cover their tracks and throw law enforcement agencies off their scent.
Between September and December 2015, the “Armada Collective” cybercriminal group claimed to have launched a RDDoS campaign against secure webmail services such ProtonMail and Hushmail, as well as several Swiss organisations and financial institutions in Greece, Sweden and Thailand. The group threatened to continue their operations against the victims if their Bitcoin ransom demands were not met. The online banking services of three Greek banks were reportedly disrupted for several hours on various occasions within a week after the DDoS attacks. [9,10] ProtonMail continued to suffer from DDoS attacks, even though the company had already paid their ransom.
RDDoS campaigns hit new heights in 2017, as cybercriminals took advantage of powerful botnets – comprising infected Internet-of-Things (IoT) devices – to launch large DDoS attacks and pressure their victims into paying ransoms.  The campaigns gradually subsided towards the end of the year, as victims began to notice that most of the perpetrators did not follow through with their threats (either due to a lack of resources or that they were simply bluffing). Notably, between mid- and late- September 2017, there were scammers who rode on the waves of these global RDDoS campaigns to launch massive e-mail scams. These involved sending ransom e-mails purportedly from the Phantom Squad hacking group to companies across many industries, with threats to launch DDoS attacks on 30 September against their victims, unless a Bitcoin ransom equivalent to about US$800 was paid. 
Most recently beginning early August 2020, a cybercriminal gang has been observed launching an ongoing sophisticated RDDoS campaign targeting thousands of global organisations across various sectors, including banking and finance, hospitality and e-commerce. According to the alert that was issued by the FBI in late August, threat actors behind the campaign allegedly posed as hacking groups including Fancy Bear, Cozy Bear, Lazarus Group, and the Armada Collective in their ransom notes e-mailed to targeted organisations, and threatened to launch crippling DDoS attacks and increase their Bitcoin ransom demands within six days if the ransom deadline was missed. The group’s demonstrative DDoS attacks varied in peak volumes and attack length. Although most targeted victims managed to mitigate the attacks or did not report further activity after the ransom deadline was up, there were several others who suffered from consecutive DDoS attacks which affected their business operations. A high-profile victim in this campaign was the New Zealand Stock Exchange (NZX), which suffered trading halts for several days in late August – its hosting provider, Spark, was repeatedly targeted by the threat actors, and this led to network outages for Spark’s other customers as well. 
Figure 2: Snippets of ransom notes sent to two different victims by the same cybercriminal gang, impersonating as the Armada Collective and Fancy Bear, which carried out RDDoS attacks beginning August 2020
Unlike other threat actors that typically target the public websites of their victims, cybersecurity vendor Akamai has reported how the victims’ backend infrastructure, application programming interface (API) endpoints, and domain name system (DNS) servers were repeatedly and specifically targeted in this RDDoS campaign to prolong outages, and how the threat actors often changed the protocols abused for the DDoS attacks to obfuscate their next attack moves. These suggest a high level of sophistication of the threat actors who have also been observed launching complex DDoS attacks, some of which peaked at close to 200 Gbps.
RANSOM DDoS ATTACKS ARE FIRMLY ESTABLISHED, AND HERE TO STAY
The recent rise of RDDoS global campaigns targeting organisations across multiple sectors is a concern. This is supported by observations of more than a 150% increase in the number of DDoS attacks in the first half of 2020, as compared to the same period in 2019. The US Cybersecurity and Infrastructure Security Agency (CISA) has also warned that DDoS-related attacks will likely increase in frequency against organisations across multiple sectors globally.
Affected organisations could potentially suffer immeasurable losses in both revenue and reputation, as a result of system and network downtime owing to DDoS attacks. Thus said, all organisations should take necessary measures to secure, protect and defend their Internet-facing services from DDoS attacks. This would include engaging cybersecurity vendors that provide DDoS protection services to identify and block DDoS attacks before they affect the services or infrastructure, maintaining offline backup of critical data to ensure business continuity and developing incident response plans to deal with DDoS attacks. 
 The first DDoS attack was 20 years ago. This is what we’ve learned since.
 Pay Us the Money or the Website Gets It: Extortion by DDoS
 Extortion via DDoS on the rise
 DDoS protection racket targets online bookies
 DD4BC, Armada Collective, and the Rise of Cyber Extortion
 Case Study: Summary of Operation DD4BC
 DD4BC, Armada Collective, and the Rise of Cyber Extortion
 DD4BC arrests unlikely to signal end to DDoS extortion
 Armada Collective: Who are the hackers extorting bitcoin ransoms and what can we do?
 Armada Collective launches DDoS attacks against Greek banks
 A DDoS gang is extorting businesses posing as Russian government hackers
 Phantom Squad – To Believe Or Not To Believe
 DDoS extortionists target NZX, Moneygram, Braintree, and other financial services
 Cyber Threats & Trends Report: First Half 2020
 Global Ransom DDoS Campaign