Posted on March 10, 2018 at 7:05 AM

Ransom Notes Rolled into DDoS Attacks

Since the dawn of criminal activity, criminals have demanded ransoms. Now, the latest in DDoS attacks bring in the old method of extortion by embedding such notes in their traffic. Crippling attacks have the potential to bring websites down and freeze web traffic, but researchers say you should never pay into criminal demands.

DDoS Attacks suck

The 2017 WannaCry DDoS attack held 200,000 computers hostage. The attackers demanded bitcoin payments to end the attack. Now, GitHub has been victim to a much larger form of DDoS attack, the Memcache reflection attack, or amplification attack. This, also, came with requests for crypto payment.

Thankfully, Akamai was able to intervene and shut down that attack. According to an incident report, user data was not at risk, but the site was down for a few minutes while things were being worked out. Websites like these understand that their customers rely on them, and these attacks can lead to permanent removal of sites, massive overhauls, and more, if bad enough.

A roll-up of the worst kind

Upon reviewing the attack, Akamai researchers found that the UDP packets had embedded ransom notes in them. The note specifically demanded 50 Monero as payment for ending the attack. Chad Seaman, of Akamai’s security team, has said that this attack was multifaceted. He likens it to a DDoS attack, a phishing attack, and an extortion rolled into one massive event. He calls the attacks “clever.”

According to another Akamai security manager, Lisa Beegle, the GitHub attack was the first of its kind. Ransom demands are nothing new, but embedding the notes in the attack payload has not been previously observed. This attack has prompted Akamai to add a new protocol: as websites are being barraged with DDoS attack traffic, researchers will begin examining the incoming UDP packets for this type of note.

Paying the ransom won’t pay off

Researchers want users to know that paying the ransom is not a good idea, for all the usual reasons. Lisa Beegle states that giving in to such demands only incentivizes attackers to continue their tactics of extortion. Also, if an attack works as a means of getting a payoff… why stop the attack at the first ransom? Paying ransom in no way guarantees an end to the attack. The fact that Monero is the chosen method of payment makes it an even worse idea. Monero is very difficult to track. It is more readily converted to fiat money that bitcoin, which is a plus for attackers, but it is also nearly impossible to track where funds have come from or gone to. Again, hiding is a boon to hackers, but once Monero comes in, they have no real way of knowing which of their targets has ponied up. That means they are not likely to cease any DDoS attack.

For now, the best method of defense is good system defense. Researchers recommend disabling UDP ports and beefing up firewalls. If your website does come under such an attack, stay calm, get help, and never pay out.