The surge in ransomware attacks over the past 18 months has created havoc for organizations across numerous critical sectors, leading to enormous payments being made to cyber-criminal gangs.
Ransomware operators have also rapidly evolved their tactics in this period, with trends like double-extortion ransomware attacks and ransomware-as-a-service becoming increasingly prominent. This means attacks are becoming more sophisticated and more complex for organizations to prevent. Another trend being observed in this space is the rise of ransom-related distributed denial of service (RDDoS); essentially, a tactic that aims to extort victims by taking or threatening to take their systems offline through DDoS. This is often easier and can be just as effective as encrypting an organization's systems and data.
Following recent research conducted by tech firm Neustar in this area, Infosecurity recently caught up with Rodney Joffe, chairman of Neustar International Security Council (NISC), SVP and fellow to find out more about this technique and how organizations should respond to an attack of this nature.
In Neustar’s recent study, 44% of organizations reported being the target or victim of an RDDoS attack in the last 12 months, while fewer organizations (41%) were on the receiving end of a ransomware attack. Could you explain how RDDoS attacks work, and does Neustar’s findings demonstrate a shift in the tactics employed by ransomware attackers?
An RDDoS attack aims to knock an organization’s systems offline completely. While a ransomware attack encrypts a company’s system, an RDDoS attack doesn’t require the cyber-criminal to gain access to a businesses’ internal systems before it can be carried out.
While there is technically no difference between a DDoS attack and an RDDoS attack, the element involving ransom means organizations are subject to extortion from criminals. Additionally, launching a DDoS attack has become relatively simple. It has the added benefit of being harder to trace back to its origin, meaning cyber-criminals are turning to RDDoS attacks over ransomware as an evolutionary point from DDoS but also a migration from ransomware-based attacks.
Organizations that receive extortion threats are typically sent an additional demand letter that follows a rudimentary template format. In the letter, users are threatened with a DDoS attack unless the demands for payment — usually in the form of Bitcoin — are met.
How effective is this approach in infecting organizations with ransomware? What advice do you have for organizations to defend themselves against RDDoS?
Unfortunately, this approach is highly effective in infecting organizations with ransomware. While RDDoS in itself doesn’t include any ransom software, i.e., ransomware itself, instead, cyber-criminals are extorting the organization with attack threats. Cyber-criminals are also combining RDDoS with additional tactics, installing encryption ransomware while systems are down and stealing data and threatening data leaks. These triple attacks are becoming increasingly common.
"Unfortunately, this approach is highly effective in infecting organizations with ransomware"
Research from the Neustar International Security Council (NISC) found that 60% of businesses would consider paying in the event of an attack, with one in five potentially willing to spend more than 20% or more of their annual revenue.
Ultimately, this is about ensuring an organization has a strong overall cyber resilience framework. The first step to achieving this is by assessing the current risk, then identifying all online assets and where they reside. Additionally, organizations should consider exactly what needs protecting to ensure business continuity.
Organizations should then be able to gauge the strength and extent of the security solution they need. Then they can form and implement mitigation strategies, including what to do in the event the system goes down, what is backed with redundancies and what the escalation protocols are, among other preventative systems in place. Of course, what is essential to all of this is having a security partner with anti-DDoS capabilities.
The study also showed that large numbers of RDDoS and ransomware victims are being targeted multiple times. How does this finding inform the debate surrounding whether it is ever right to pay a ransom?
While it is understandable why organizations decide to pay in order to regain business operations, it’s not the answer. Paying makes a company more likely to be targeted again. Instead, companies should think of cybercrime as a business — by paying up, a business is making itself a viable target, with ‘success rate’ chances historically higher than those that haven’t paid. This means it makes business sense for the criminals to target that company again, which could have catastrophic consequences.
What advice do you have for organizations who find themselves on the receiving end of an extortion letter from RDDoS attackers?
Do not pay. Letters typically come with a timeline, so companies should work with their DDoS security provider to best prepare for any attacks. Additionally, companies should ensure they’ve got an open communication established with their DDoS security provider, especially on day zero. If companies can, they should provide systems access or monitoring too to the provider. Finally, making sure an organization’s disaster recovery platforms are up to date and ready to go can prevent RDDoS from impacting business continuity.
Do you think the wider industry and governments can do more to help organizations when they do fall victim to ransomware?
There’s an education piece in this. When faced with an RDDoS, many companies panic and become willing to fork out potentially millions in ransom yet don’t invest relatively minimal sums in defense software and services. As an industry, we need to make it easier for CISOs and security managers to argue for robust cyber resilience investment by businesses in the context of attack likelihood and expense.