How to Prepare for the Rise of Ransom DDoS Attacks

ransom ddos thumbnail image

Increasingly Powerful DDoS Attacks

Distributed denial-of-service (DDoS) has long been a popular cyberattack method used by hackers around the world. By utilizing hijacked devices to build botnets, then bombarding the targeted application servers with numerous requests, DDoS attacks overwhelm the capacity of the servers and paralyze the web service. A common objective of these attacks is to disrupt or even disable an organization’s operations for as long as possible. Hence DDoS is widely used in attacks initiated by nation states and hacktivists.

One concerning trend is that DDoS attacks are becoming more powerful than ever. Since the COVID-19 pandemic began, web traffic has significantly increased across the globe due to more time spent online working, shopping, consuming media, and even receiving education and healthcare. As a result, hackers now have a wide range of targets to choose from and are able to create botnets that are larger than ever.

The record for the largest single DDoS operation has been broken repeatedly in recent years. In September 2021, the Meris botnet was discovered, containing over 250,000 hijacked devices and was used in a series of DDoS operations against internet service providers and financial institutions across the US, UK, New Zealand, and Russia. Meris broke the record for the most powerful DDoS attack twice in 2021. In June, it launched a DDoS with 17.2 million requests per second (RPS) against a US financial institution, only to be surpassed by another attack with 21.8 million RPS in September. To put the numbers in perspective, Google’s search engine receives an average of 63,000 requests per second.


Multiple Waves of Ransom DDoS Attacks

Not only are DDoS attacks becoming more powerful than ever, but more hackers are now testing them out for a range of objectives. In particular, hackers are starting to use them as an attack vector for financial gains, usually in the form of a ransom DDoS attack. Since mid-2020, multiple waves of ransom DDoS were detected, with the latest wave still ongoing.

What does a ransom DDoS attack look like? Normally, the attacker would notify their target prior to the attack and demand a ransom payment as a settlement for peace. Most likely, victims would ignore this initial threat as many of them tend to be empty threats made by hackers who do not actually have the capacity to launch such destructive DDoS attacks. As a result, some attackers would launch a small-scale demonstration attack to prove their ability and get the victim on the negotiation table.

If no agreement is made during the pre-attack negotiations, the attacker would launch the full-scale attack and offer their victim the option to pay for a ceasefire. DDoS can last for up to 24 hours until all the attacker’s resources are exhausted.


Ransom DDoS vs. Ransomware

Even though the attacker’s leverage in a ransom DDoS operation is far less than that of a ransomware attack, it is still worth noting that for many organizations, a temporary disruption of operation can end up in tremendous losses, especially for critical infrastructure operators and manufacturing businesses. Therefore, ransom DDoS attacks should not be taken lightly.

Moreover, ransom DDoS has a relatively low entry barrier. Unlike ransomware actors, who are some of the most sophisticated cybercriminal gangs in the world, most hackers can easily deploy DDoS attacks without any advanced hacking skills. Having an easy attack vector for extortion indeed attracts many financially motivated criminals.

Another reason why many might adopt ransom DDoS is that they attract less attention from the police. Compared to ransomware gangs, who are now some of the most wanted people by national intelligence and cyber-police forces around the world, DDoS operators gain less international attention and are not yet seen as a serious national security threat. Hence, ransom DDoS is a less risky choice for many financially motivated hackers.

In some cases, a ransomware operator would threaten the victim with a follow-up DDoS to bring them back to the negotiation table. While the victim struggles to recover from encrypted servers and systems, a follow-up DDoS attack would further delay the recovery process and cause greater disruptions and damages to the business.


How to Prepare for Ransom DDoS Attacks?

1) Early detection and mitigation

Early detection is crucial in preventing the catastrophic consequences of DDoS attacks. This can be done with a logic-based web application firewall (WAF) like WAPPLES, which effectively blocks DDoS from entering via the network, transport, and application layers. Unlike legacy WAFs, its AI-based detection engine can accurately identify botnets used by common attackers and block their IP addresses.

Nevertheless, some advanced hackers are now hijacking residential IP addresses and forming scattered botnets with fewer identifiable patterns. Even though these botnets are rare, it is still necessary to have another layer of protection against them.

2) Load balancing

Load balancers provide a second layer of protection by directing requests across multiple servers to prevent overload, while sending out real-time alerts when server thresholds are met. When a server falls victim to a DDoS attack, the load balancer can reroute clean traffic to another unaffected server, making it much more difficult for attackers to exhaust all of the victim’s resources. By adopting WAPPLES, users can enjoy a WAF and a load balancer in one, largely relieving the impacts of a DDoS.

3) Content delivery network

A content delivery network (CDN) utilizes distributed servers across the globe to ensure faster service delivery, commonly used by popular web services. Another advantage of CDN is that it increases resilience towards DDoS attacks as hackers no longer have a single point of extortion. Cloudbric provides a cloud-based WAF combined with a CDN so that users can have all layers of protection in one solution. 

Depending on the organization’s IT environment, users can adopt either WAPPLES or Cloudbric to keep them protected from ransom DDoS.


For more information on security implementation, check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Automotive, Energy, Industrial, and Urban Solutions: Penta IoT Security