How to Respond to a DDoS Ransom Note

by Radware on September 10, 2020

DDoS ransom attacks are making a comeback. The past few weeks have seen hacker rings attack with renewed vigor, with the finance, e-commerce and service-provider verticals particularly impacted.

Since the middle of August, Radware has been tracking several extortion requests from threat actors posing as “Fancy Bear,” “Armada Collective,” and “Lazarus Group.” It is a global campaign with threats reported from organizations in finance, travel and e-commerce verticals in APAC, EMEA and North America.

DDoS attacks can come at any time, with or without a ransom note attached, and DDoS-for-hire tools are making it easier for attackers to launch attacks with a few clicks of a button. However, a DDoS ransom note can be particularly stressful, especially if it comes with a hefty demand for payment.

Nonetheless, the damage from a DDoS ransom note can frequently be contained if dealt with in advance. Here are a few tips for handling a DDoS ransom note, should you receive one:

Don’t Pay

Paying DDoS attackers can be damaging on several levels and doesn’t actually guarantee they’ll leave you alone.

Sponsorships Available

Radware advises against paying the ransom demand as there is no guarantee the malicious actors will honor the terms and it “identifies” the target organization as one that is willing to pay under threat. Paying the ransom funds the malicious operation and allows the bad actors to improve their capabilities and motivates them to continue their campaign.

One of the key challenges of DDoS ransom notes is that there is not way to tell who is actually behind them. While many ransom notes claim to be well-known groups such as “Fancy Bear” or “Armada Collective,” there have been many cases where they were sent by impostors. Such notes are frequently sent to a large group of targets, and senders simply count on some of the victims paying out blindly, thereby allowing the sender to collect a nice pay-day without actually doing anything.

Another reason not to pay attacker is that it doesn’t actually guarantee that attackers will leave you alone. There have been cases in the past where victims paid, and still got attacked.

Most importantly, paying DDoS ransoms tells attackers that there is a willing victim here, and increases their appetite. Again, there have been cases where a victim paid a ransom note, only to have attackers come back with bigger demands for more money.

Pass the Information On

Many times, DDoS ransom notes are sent ‘blindly’ to the target, using publicly available email addresses. The recipients of these notes are frequently not the relevant stakeholders for network security and IT, but random people in the organization. In fact, many ransom notes include an instruction to pass this threat on to the relevant people.

As a result, organizations should proactively educate their employees about the dangers of DDoS ransom attacks, and what to do in case a ransom note reaches them. It is helpful to set up a central email address or contact person who is known to be responsible for network security and explain that all relevant threats should be passed on to them.

Establishing a clear owner and communicating relevant information early and quickly can greatly help the organization be prepared in the event of a DDoS ransom note and drastically reduce the risk from an attack.

Check for a Pre-Cursor Attack

Many ransom notes include the threat of a smaller pre-cursor attack, supposedly to demonstrate the capabilities of the attackers and the viability of the ransom threat.

This is why it’s important to check network logs for traffic spikes indicative of a small DDoS attack. These logs can usually be checked by the organization’s network team, security team, ISP or cloud security provider.

While it is Radware’s recommendation not to pay the ransom in case of attack, evidence of a pre-cursor attack may indicate the viability of the threat, and how the target should be prepared.

Note that evidence – or absence – of a pre-cursor attack does not necessarily mean that an attack will or will not follow. Radware has seen cases where there was no pre-cursor attack despite the threat of one, and other cases where there was evidence of a pre-cursor attack but a larger attack never followed. Nonetheless, looking for signs of a pre-cursor attack may be a useful indicator as to the seriousness of the threat.

Alert Your Security Provider

Regardless of the severity of the risk, you should alert your security provider to the threat, and have them jointly monitor attack activity with you.

Alerting your security provider can give them time to prepare, monitor your traffic more closely, and apply additional security mechanisms, in case they are needed.

If you don’t already have a dedicated DDoS scrubbing solutions, now is also a good time to consider deploying one.

Stay Vigilant

Finally, there is no substitute for maintaining vigilance. DDoS attacks may come at any time, whether they are accompanied by a note or not. However, a DDoS ransom note increases the risk and reinforces the need for comprehensive protection against DDoS attacks.

Use this threat as an opportunity to apply some best-practice measures for DDoS protection:

Make a list of all exposed assets, such as applications, IPs, servers, data centers and locations
Prioritize the list of assets to be protected, and assess which assets are mission-critical and require extra protection
Formulate and execute a DDoS response plan, with pre-defined steps of what to do before, during and after an attack
Deploy dedicated DDoS protections backed by a leading DDoS protection vendor, who has the capabilities and experience of handling large, sophisticated attacks
Verify DDoS protection SLAs, and make sure your security provider commits – and steps up – to meaningful protection

A DDoS ransom note is no laughing matter and should be taken with all seriousness. However, exercising these few commonsense measures can greatly help with proper preparation and response, should the threat be followed by a DDoS attack.