Akamai: Beware of Copycat ExtortionistsNew Wave of DDoS Extortion Attempts Has Sprouted
Security vendor Akamai warns of a rash of less sophisticated attempts to extort companies by threatening distributed denial-of-service attacks, which can be expensive for companies to defend against.
The latest crop of attackers is imitating two groups, the Armada Collective and DD4BC, both of which hit companies and organizations last year with DDoS attacks unless a ransom was paid in bitcoin.
Favored targets by the new wave of extortionists include banks, insurance companies, payment providers and trading platforms, according to Akamai's State of the Internet Security report for the first quarter of the year, which was released June 8.
"We're seeing a lot of it," says Michael Smith, Akamai's security CTO for Asia-Pacific and Japan.
But rather than very specific attacks, the extortionists are often sending very general threats to many organizations that are more similar to spam. Often, a company's name is not mentioned in the email. "They're just sending it to every email address they can find, hoping somebody will turn around and pay," Smith says.
DDoS extortion schemes spiked about a year ago with the group DD4BC, Smith says. DD4BC - which stands for DDoS 4 Bitcoin - primarily targeted the gambling industry, but then turned its guns on financial services providers.
Smith says the group hit organizations in North America and Europe, and then turned to Australia and southeast Asia, including Thailand, Singapore and Hong Kong. DD4BC's successes spawned imitators, including the Armada Collective, which extorted the Swiss secure email provider ProtonMail in November (see Refined Ransomware Streamlines Extortion).
ProtonMail paid a ransom to the group only to find it was under attack from another group, which also wanted money.
It's probably safe to assume that an organization is not going to come under a DDoS attack if it has received a very general threat over email, Smith says. The serious DDoS attacks last year were preceded by a test attack where the extortionists demonstrated what they could do. That happened to ProtonMail.
Advice: Don't Pay
In any case, don't pay ransom demands, Smith urges. If someone is targeting a company specifically, Smith says they will come back later for more money, especially if they have a successful attack.
"If you paid once, you'll probably pay again, and it will two or three times what it was before, and they'll keep ratcheting it up," Smith says.
In December 2015, the law enforcement agency Europol coordinated a large action against DD4BC involving authorities in Austria, Bosnia and Herzegovina, Germany, the U.S. and U.K., France, Switzerland, Japan and Romania. It said key members of DD4BC were in Bosnia and Herzegovina. One suspect was arrested, another detained.
According to the threat intelligence company Recorded Future, DD4BC attacked more than 140 companies since it started activity around mid-2014.