Ransom Denial of Service (RDoS) Attack

Cybercriminals are in business to make money. Ransom attacks, such as ransomware and Ransom Denial of Service (RDoS) attacks, provide a straightforward means for a cybercriminal to monetize their attacks.

An Ransom Denial of Service attack is when an attacker extorts a ransom from a target to not perform or to stop a DDoS attack from occurring. Since disruption of an organization’s website and other online services costs the company money, the victim may be financially motivated to pay the ransom to prevent or stop the attack.

Security CheckUp Download the Security Report

How Does an RDoS Attack Start?

An RDoS attack starts with a ransom demand. Typically, the cybercriminal behind the attack will use a privacy-minded email provider to send their demand to the intended victim. This demand will include a ransom amount and a deadline by which the ransom must be paid. The attacker may perform a DDoS attack before the stated deadline to demonstrate their ability to carry out their threat.

If the ransom is not paid before the deadline, then the DDoS attack will begin in earnest. Often, these DDoS attacks are sophisticated and change tactics regularly to make blocking them more complex. An attack may last anywhere from hours to weeks, and the ransom demand may grow the longer that it goes unpaid.

The Evolution of RDoS Campaigns

Like other cyber threats, Ransom Denial of Service attackers are constantly working to refine and improve their tactics and techniques. This helps them to maximize the profitability of their attacks and improve their ability to carry out the threats made in ransom letters.

Often, RDoS attackers masquerade as well-known APTs such as Fancy Bear, the Armada Collective, or the Lazarus Group. In 2020, attacks originating from these groups targeted companies across multiple industries in multi-stage attacks. Those organizations that did not meet the initial 20 BTC ransom demand were targeted again by attacks later that year. By reusing their existing research, the threat actors attempted to extract additional value with minimal effort.

In 2021, attackers turned their focus to Internet and cloud service providers. These attacks also demonstrated more in-depth research, targeting only unprotected assets. These more targeted attacks demonstrate that the cybercriminals behind the RDoS campaigns were making additional efforts to improve the probability of a successful attack and ransom payment.

How to Respond to an RDoS Threat

An Ransom Denial of Service ransom letter represents a credible threat but also gives an organization time to prepare for a potential attack. Some steps that companies should take in response to an RDoS demand include:

  • Don’t Pay the Ransom: Paying the ransom provides no guarantee that the cybercriminal won’t attack anyway. Additionally, the cybercriminal may come back and threaten additional attacks to extort future payments.
  • Pass the Information On: RDoS ransom notes are often sent to random people within an organization, who may not know what to do with them. Employee education is essential to ensure that information reaches the right people to enable a response.
  • Check for a Demo Attack: attackers may perform a demonstration attack before the deadline to prove their capabilities. Checking for a demo attack can help with determining if the threat is real and can provide useful threat intelligence for dealing with the threatened attack.
  • Alert Your Security Provider: Provide your security provider with all available information about the threat, including the ransom note and any data from a demo attack. This enables them to better prepare to mitigate the threat.

How to Protect Against an RDoS Attack

After receiving an Ransom Denial of Service threat, an organization should take steps to prepare for and prevent the threatened attack. Some best practices include:

  • Understand Your Attack Surface: A RDoS attack will likely target critical systems that are exposed to the Internet, such as a corporate website or a VPN portal. Identifying potential targets is a necessary first step toward protecting them.
  • Have a Plan: During a DDoS attack, time spent planning a response is additional minutes of downtime. Create a DDoS response plan in advance to enable rapid mitigation of the threat.
  • Deploy Comprehensive DDoS Protection: An RDoS letter is an empty threat if the cybercriminal can’t effectively perform a DDoS attack against the organization. Deploying a comprehensive DDoS protection solution from a vendor known to have managed and blocked large-scale DDoS and RDoS attacks is essential to an RDoS prevention strategy.
  • Verify DDoS Protection SLAs: A DDoS protection vendor should offer at least six critical SLAs. Before an attack, verify that a vendor’s SLAs meet business needs.

If your organization has received an Ransom Denial of Service threat or believes that it may be targeted by a DDoS attack, contact us. For more information about mitigating the RDoS threat, inquire about Check Point’s DDoS Protector, which offers comprehensive protection against sophisticated and zero-day DDoS attacks.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.