This blog discusses active research from Radware’s ERT research team regarding a DDoS for Ransom campaign.
This is a preliminary report and will be updated accordingly.
Since the ProtonMail attack in 2015, Radware’s ERT has been tracking and mitigating DDoS for Ransom campaigns, RDoS, from groups like the Armada Collective. An RDoS campaign is a distributed denial of service (DDoS) attack motivated by monetary gain. Attackers typically start with an email or a post threatening to launch an attack at a certain day and time unless a ransom in Bitcoin is paid. In some cases, attackers will launch a mini-attack or sample attack on the victim’s network as evidence that the threat is real.
RDoS campaigns can be financially rewarding to a cyber-criminal who enjoys making large amounts of money for little to no investment. Because of this, many hacking groups now imitate this modus operandi and spam similar ransom threats using other group names, with no intention of launching an attack. In 2016 many opportunists emerged using infamous names like the Armada Collective, Anonymous and Lizard Squad to spread fear and gain credibility for their threats. This year we have even seen groups pretending to be Fancy Bear/APT28.
Over the last several weeks Radware has witnessed an increase in RDoS campaigns in the Asian Pacific. Two groups emerged mid-June using the names Anonymous and the Armada Collective in an attempt to ransom dozens of financial institutions in China and South Korea. The group claiming to be the Armada Collective was requesting $315,000 USD under threat of a network-crippling DDoS attack. In South Korea, a number of organizations that received the ransom email also experienced sample SYN and NTP floods ranging between 5-20Gbps. In this campaign, the attackers did not follow through with their original threat even though sample attacks were launched.
Currently Radware’s ERT team is tracking a similar campaign in the United States. Several large financial institutions in the U.S. have received email threats this week from a group claiming to be Anonymous. This group is requesting 100 bitcoins to be paid within seven days under the threat of being attacked by an IoT botnet. Radware’s ERT Research division can say with high confidence that this is likely the same group that was behind the string of attacks in the Asian Pacific. At the moment, no sample attacks have been recorded but a number of victims have received letters similar to those sent out in China and South Korea.
Companies should be advised not to pay an extortionist and to seek professional assistance for mitigating RDoS attacks.
We will update this blog as more information becomes available.
Download the “Cyber Ransom Survival Guide: The Growing Threat of Ransomware and RDoS – and What to Do About It” to learn more.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.