Cybercriminals are in business to make money. Ransom attacks, such as ransomware and Ransom Denial of Service (RDoS) attacks, provide a straightforward means for a cybercriminal to monetize their attacks.
An Ransom Denial of Service attack is when an attacker extorts a ransom from a target to not perform or to stop a DDoS attack from occurring. Since disruption of an organization’s website and other online services costs the company money, the victim may be financially motivated to pay the ransom to prevent or stop the attack.
An RDoS attack starts with a ransom demand. Typically, the cybercriminal behind the attack will use a privacy-minded email provider to send their demand to the intended victim. This demand will include a ransom amount and a deadline by which the ransom must be paid. The attacker may perform a DDoS attack before the stated deadline to demonstrate their ability to carry out their threat.
If the ransom is not paid before the deadline, then the DDoS attack will begin in earnest. Often, these DDoS attacks are sophisticated and change tactics regularly to make blocking them more complex. An attack may last anywhere from hours to weeks, and the ransom demand may grow the longer that it goes unpaid.
Like other cyber threats, Ransom Denial of Service attackers are constantly working to refine and improve their tactics and techniques. This helps them to maximize the profitability of their attacks and improve their ability to carry out the threats made in ransom letters.
Often, RDoS attackers masquerade as well-known APTs such as Fancy Bear, the Armada Collective, or the Lazarus Group. In 2020, attacks originating from these groups targeted companies across multiple industries in multi-stage attacks. Those organizations that did not meet the initial 20 BTC ransom demand were targeted again by attacks later that year. By reusing their existing research, the threat actors attempted to extract additional value with minimal effort.
In 2021, attackers turned their focus to Internet and cloud service providers. These attacks also demonstrated more in-depth research, targeting only unprotected assets. These more targeted attacks demonstrate that the cybercriminals behind the RDoS campaigns were making additional efforts to improve the probability of a successful attack and ransom payment.
An Ransom Denial of Service ransom letter represents a credible threat but also gives an organization time to prepare for a potential attack. Some steps that companies should take in response to an RDoS demand include:
After receiving an Ransom Denial of Service threat, an organization should take steps to prepare for and prevent the threatened attack. Some best practices include:
If your organization has received an Ransom Denial of Service threat or believes that it may be targeted by a DDoS attack, contact us. For more information about mitigating the RDoS threat, inquire about Check Point’s DDoS Protector, which offers comprehensive protection against sophisticated and zero-day DDoS attacks.