Distributed denial of service attacks (DDoS) continue to pose serious threats to modern IT. DDoS perpetrators are relentless and they tirelessly find new ways to exploit vulnerabilities to succeed with their attacks. Just recently, threat actors managed to exploit a Ruckus wireless admin panel flaw for their DDoS botnet malware. This malware turns vulnerable devices into DDoS swarm agents.
DDoS attacks are relatively straightforward. All they do is overload servers with overwhelming volumes of requests to exhaust the resources of these servers and make them unavailable. However, until now most organizations fall prey to such attacks because they do not have the means to accurately block anomalous traffic and allow legitimate server requests.
Worse, DDoS is being used as a precursor to or in tandem with other attacks. A persistent threat combined with other complex cyber assaults spells a major problem nobody should downplay.
DDoS as a smokescreen or distraction
One of the most compelling reasons why organizations should make use of DDoS protection services is the role of this attack in clearing the way for more dangerous attacks. It can serve as a distraction that throws off cybersecurity teams. Security teams know what to expect from a DDoS attack: the downtime or disruption in their operations. Once the attack is “arrested” and the anomalous IPs are determined, many tend to lower their guards, thinking that the attack has already been averted. In the process, they fail to notice the other attacks aimed at their system.
This attack distraction approach was observed back in 2016. A well-known security firm reported how cybercriminals have learned to use DDoS to keep blue teams (cyber defense) occupied as they exploit other security vulnerabilities or opportunities to attack. In the report, the threat actors conducted phishing operations alongside their DDoS attacks. These attacks may not happen at the same time, though. They may take place in close time frames, with the tandem or second attack taking place the next day or the week after the first.
Data theft concealment
There have been instances of DDoS being used to cover data theft. One example is the attack on the University of Vermont Health Network in October 2020. The attackers succeeded in creating a significant network disruption. However, the bigger attack was not the temporary suspension of operations, it was the theft of sensitive data. The attack was linked to the malware called Trickbot which was originally intended for the illegal scouring of banking information and related credentials. Its propagators have since expanded their abilities to establish a malware ecosystem with modular components.
There is also a suspicion that the attack on the Democratic National Committee (DNC) in 2016 involves a combination of attacks that eventually led to the theft of DNC documents. There were virtually no reports of the denial-of-service attack, as it was likely resolved promptly. The story the media picked was the revelation of the stolen documents and the impact the theft had on the party. Later investigations revealed that there was a massive adversarial infrastructure that made the DNC compromise possible. This infrastructure facilitated the undertaking of multiple attacks and decentralized bad actors.
In March 2023, Akamai highlighted a relatively new attack called “triple extortion ransomware.” This is an attack that combines ransomware and DDoS, and it is becoming a popular attack route among cybercriminals. It is called “triple extortion” because of its three-pronged approach to extorting its victims. The first phase of the attack is the exfiltration of data, followed by the encryption of a victim’s files in a ransomware attack, and the launch of a massive DDoS campaign to raise the pressure on the victim to succumb to the ransom demand.
The data exfiltration part of this attack is part of the ransomware attack itself. It is undertaken after the ransomware has successfully infected a system. Instead of immediately proceeding with file encryption, the malicious software exfiltrates some sensitive data first. This data is usually meant to be kept confidential or private, so the attacker uses it as a hostage to demand something from the victim (the first prong of the attack).
The second prong is the main ransomware attack itself. Because of the prevailing policy among organizations to refuse to pay any ransom, cybercriminals tend to not expect much from their attempts to extort money through ransomware. However, they try to make the attack work with the help of DDoS.
Some organizations manage to remain online or continue their regular operations despite a successful ransomware attack. That’s why ransomware perpetrators may use DDoS to pressure ransomware victims to act on the ransom demand. They can end the victim’s precarious uptime by launching a massive DDoS campaign with the victim made aware of the intention and the condition that the attack will not materialize if the ransom is paid.
A notable example of the triple extortion ransomware attack is AvosLocker Ransomware. The FBI and the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) have issued an alert regarding this attack, noting that it has been targeting critical infrastructure and important industries including manufacturing, financial services, utilities, and government facilities.
One of the most notorious perpetrators of triple extortion ransomware attacks is BlackCat, which is also referred to as the ALPHV ransomware gang. This cybercrime group has been posting online the stolen data of their victims that have refused to pay the ransom.
The use of DDoS as a precursor or support to a ransomware attack is different from ransom DDoS. The latter is just a single attack with an extortion component. Most DDoS attacks in the past have been aimed at disruption. Recently, they have included ransom demands, which tend to work on organizations that have weak cybersecurity capabilities and knowledge.
In both ransomware and ransom DDoS attacks, the recommendation is always to refuse to give in to the demands of the attacker. There is no certainty that the attacker will stop after the ransom is paid and it is important to create a culture of resistance to criminal demands.
Ensure proper protection
DDoS attacks are unlikely to go away in the foreseeable future. The rise of DDoS-as-a-service has made it easy for anyone to launch denial-of-service attacks, especially among business competitors. Worse, DDoS continues to be relevant in the threat landscape, as demonstrated by the cyber attack combinations described above.
The best way to address DDoS and other cyber attacks is to strengthen security posture, leverage security frameworks, and take advantage of advanced security solutions including those that integrate artificial intelligence to enhance security visibility and expedite detection, mitigation, and remediation.