Ransom DDoS, a Scenario Straight Out of Hollywood


If tomorrow your organization is targeted by a Ransom DDoS letter and you don’t take it seriously, I wouldn’t blame you. I admit the first time I came across a Ransom DDoS letter, I didn’t quite believe it. Something about the theatrics behind it seemed too extreme to be authentic.  But once you start reading the details and realize they have your IP addresses and network information, you start to shiver slightly. The big question comes next: what should I do?  

A ransom letter has a specific layout that is meant to achieve two things: the first, make you realize they are serious about the attack and sometimes even offer a short demonstration. The second, give you the ransom payment details (See figure 1). Ultimately the goal is to scare you as much as possible.  

ransom letter
Figure 1: A ransom letter sent to a large organization by the Lazarus Group (a notorious group of hackers)

The Easy Way Out

At this point, you are probably trying to decide if you should pay or not. The answer to that question is more complex than a simple no. As a large and successful organization, you have to consider all of the options. The price of the ransom might not be that high after all, it could be worth it to pay it and, by that, ensure the safety of your network. This approach puts business before everything else and is understandable.  

When it comes to Ransom DDoS the risks are different from a ransomware attack. Here there is no risk of data leaking that could impact customer’s privacy or information that can get lost. 

 The damage that a Ransom DDoS attack can have is twosome: the loss of network availability and the loss of internal productivity. Those risks have the potential to do a lot of damage to any organization whether internally or externally.  

Let’s not forget that in many countries paying the ransom is illegal. In October 2020, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) declared it illegal to pay a ransomware demand in some instances. It is illegal to facilitate the payment to individuals, organizations, regimes and in some cases entire countries that are on the sanctions list and some cybercrime groups meet those conditions. 

The only REAL way out
After considering all options, the right one is inevitable. Make sure you are ready for what is coming. Once you decided not to pay the ransom, an attack will probably come and very soon. The organization that received the letter shown above refused to pay, and was attacked shortly after with a massive DDoS attack that lasted almost 10 hours and reached 237 Gbps (see figure 2). The attack was highly sophisticated and included challenging attack vectors. 

ddos attack
Figure 2: Massive DDoS Attack Following Unpaid Ransom

As powerful and sophisticated as this attack might have been, the client was not impacted at all. During the attack, his network was fully available to legitimate users and business continued as usual.  

You may ask: how come? The answer is simple. By failing to prepare, you are preparing to fail. Cyber attacks were not that popular in Benjamin Franklin’s time, but without knowing so, he was right about the recommended approach to those attacks. 

The organization in question had a fully deployed hybrid DDoS protection solution that included the combination of several devices installed on premise with the option to divert all of its traffic when under a volumetric attack, to Radware’s Cloud DDoS Protection Service with over 8Tbps of mitigation capacity.  

The minute they received the letter they were not hesitant at all. They trusted the Radware DDoS protection solution they had in place to automatically detect and mitigate these attacks when they happen.  

 To pay or not to pay? That is not the question

When it comes to ransom DDoS attacks there is only one question you should ask yourself: are you prepared? Readiness is the only way to avoid being impacted by such an attack.  

Radware does offer to help organizations that are actively under attack through its emergency attack mitigation service – which enables non-Radware customers a one-time option to divert all their traffic to Radware’s Cloud DDoS Protection Service to mitigate the ongoing attack. But, there is nothing like the certitude that you will be able to manage whatever comes your way. 

With all recent events, now is the time to check and make sure you have the DDoS protection necessary for when the day comes, and your business ultimately depends on it. 

[Like this post? Subscribe now to get the latest Radware content in your inbox weekly plus exclusive access to Radware’s Premium Content.]


Please enter your comment!
Please enter your name here