Using the threat of distributed-denial-of-service (DDoS) attacks to pressure victims into paying ransoms appears to be back on the menu for ransomware attackers, new evidence suggests.
According to the latest yearly report from security company Radware, the number of attacks using ransomware DDoS (RDoS) in attacks rose markedly during 2021, and were deployed during several prominent incidents.
This might come as a surprise to most people: aren’t established techniques such as encryption, data exfiltration, and triple extortion against customers enough to get paid?
The answer is that ransomware platforms are stacking up the attack options, possibly in response to defenders becoming acclimatized to traditional tactics.
However, these DDoS attacks are different from the old-school attacks on websites and exposed servers, and now more often target protocols associated with VoIP phone systems and VPNs.
A good example mentioned by Radware is the September 2021 attack on Bandwidth.com, which the company later admitted would cost it between $9 million – $12 million to overcome.
Similar treatment was reportedly handed out to several other vendors in the same sector, including VoIP.ms, Voipfone, VoIP Unlimited, Runbox, Posteo, and Fastmail.
More recently in 2022, the FBI warned that the AvosLocker ransomware was threatening to use DDoS attacks as a negotiating ploy in attacks against service providers.
However, RDoS can also be used against customers as well as providers, as evidenced by the March 2022 attack on a UK-based mental health charity which also appears to have targeted the organization’s VoIP phone system.
Why RDoS, Why Now?
Using DDoS as part of an extortion attack is not new—indeed, it played an influential role in the expansion of the ransomware industry almost a decade ago.
The DDoS extortion group DD4BC (Distributed Denial of Service for Bitcoin) menaced hundreds of companies until its alleged ringleaders were arrested after a 2015 police action in several European countries.
DD4BC pioneered tactics such as targeting larger organizations and asking for much larger ransoms. Their methods were unusually aggressive for the time, using demonstration DDoS attacks to ram home their threats.
What eventually halted DDoS extortion was the rapid expansion of protection services, which became something any victim could quickly summon with a phone call. Meanwhile, other types of cybercrime, including malware-based ransomware, were proving more profitable.
So why have criminals returned to the tactic?
Back to the Future
The answer could be that RDoS is more potent when integrated as part of a larger ransomware attack. If a victim copes with data encryption tactics, can it cope with a data exfiltration too? And if it can cope with both of those, can it cope with threats to attack an organization’s customers? And if it can cope with all of these, can it also cope with an RDoS or destructive wiper attack on top?
This is the hidden logic of ransomware: victims eventually adapt, which means attackers must constantly up the ante in the hope of maintaining the fear factor. Ransomware is slowly mutating into a multi-headed beast in front of our eyes.
For businesses, the significance of RDoS is that it targets important protocols that might not be as easy to defend with a basic DDoS mitigation subscription. Criminals know organizations are hugely inconvenienced by disruption to their phone or VPN communications. Adding this on top of file encryption and the possibility of public data exposure leaves defenders with their hands full. It’s possible other protocols will be targeted in time. Although RDoS is not yet a part of every ransomware attack, expect it to become more common during 2022.