The Rapid Resurgence of DDoS Extortion (That Didn't Take Long)
Just when we thought DDoS extortion was fading into the rearview mirror, it's time to circle up the trucks again (gas tanks full). Starting last week and rapidly accelerating, we began seeing in our data and hearing firsthand from organizations about a new wave of extortion activity -- new Bitcoin demands; new threat actor names; and new attacker tactics, techniques, and procedures (TTPs).
Perhaps the rapid resurgence in DDoS extortion attacks was spurred on and inspired by the massive Colonial Pipeline payout? It's possible.
Whatever the attackers' motivations, we've seen a flurry of malicious activity with new customers needing emergency integration of DDoS defenses in numbers not seen since the campaign heated up last August. A few others in the industry (seclists.org, computerworld.dk, and Irish ISPs via twitter) have noted recent extortion demands as well.
Let's take a closer look at the latest threat actors hitting the scene, and what organizations need to do now to be prepared.
With summer around the corner, May attack activity heats up
While we have firsthand data on just two verified extortion attacks (both of which routed on to the Akamai Prolexic network while under attack), we've caught wind of six others from customers and prospects doing emergency onboarding of their networks to the Akamai Prolexic DDoS defense platform. We have yet to see these attacks target a customer with an always-on security posture, suggesting the attackers are focused on softer targets without in-line defense. Like previous extortion campaign activity, we've observed the latest round of attackers targeting organizations across a variety of industries such as travel and hospitality, retail/e-commerce, high-tech/software, and consumer packaged goods to name a few. Some industries, in particular, align well with attackers seeking to exploit the highly anticipated and pent up demand for summer travel as COVID-19 restrictions ease up.
Based on our visibility into attack data, the first show-of-force assault was north of 150 Gbps and lasted an hour, while the second attack on a different customer upped the ante, coming in at over 250 Gbps and lasting for more than an hour. These attack sizes are consistent with previous extortion activity in terms of seeing bandwidth exceeding multiple hundreds of gigabits per second spread across multiple destination IPs: The first attack had 11 target destinations (roughly 10 Gbps on each) and the second attack had 7 target destinations.
Let's start with a little context
How does this campaign fit within the broader trend of DDoS extortion? Since August 2020, we've tracked a few different waves of extortion campaigns, with attacker TTPs ebbing and flowing, overlapping and co-existing over time. We've even seen attackers combine names of notorious APTs to keep things fancy as they bring the extortion campaigns back to life. These most recent attacks align most closely with what we documented and mitigated in v2 attacks in terms of target spread, and bleeding over into v1 traits with tip-off DDoS attack vectors.
|Tactics||Poker tell vectors (ARMS/WSD). Mostly single destination IP targeted.||Attack spread across a range of destination IPs (5-12).||Two very large attacks in succession, new DCCP vector, a range of destination IPs at a single customer.||No clear signs of DDoS activity.|
|Average Gbps||99 Gbps||144 Gbps||733 Gbps||6.8 Gbps|
|Average Duration*||44 minutes||53 minutes||77 minutes||9 minutes|
|Target Industries||Business services, financial services, hotel and travel, retail and consumer goods||All industries||Media and entertainment||All Industries|
*All DDoS extortion attack varieties exhibit much longer average durations and bigger average volumes than non extortion attacks.
A bit more about May 2021 extortion activity
What is interesting about this latest extortion attack example is the shared traits of v2 and v3 with respect to the attack vector poker tells -- somewhat unusual DDoS vectors and the wide range of IP space targeted during v2 activity. Both attacks featured the Apple Remote Management Service (ARMS) vector, while the second attack also leveraged a UDP Amplification technique known as WS-Discovery (WSD), which was first discovered and reported on by the Akamai SIRT in the Fall of 2019 and also associated with previous DDoS extortion activity. Its sudden reemergence was a telltale sign that targeted customers most likely had received an extortion attempt.
Additionally, and as an important side note, the attacks we've observed are not particularly sophisticated. Ninety-nine percent of malicious traffic was of two packet lengths and composed of easily blockable vectors. We believe this reflects the incredibly low barrier to launch an "entry-level" DDoS attack that still packs a punch in terms of bandwidth but lacks the complexity associated with other more advanced threat actors.
We've been told that the cost to launch a DDoS attack from dark web toolkits recently dropped from $10 to $5 (looks like attack tools aren't being affected by inflation). Regardless of the increased access, the most recent extortion attacks consisted of some of our most frequently blocked DDoS vectors, with the vast majority mitigated consistently with our zero-second SLA once new customers had routed onto our platform.
With respect to threat actor locations, traffic from the first attack was primarily sourced in Russia and Asia, though you can see European, Australian, and the North/South American sources were active in the latest round as well. While DDoS attack source IPs can be easily spoofed, we did observe a significant concentration of traffic originating from Russia, specifically.
Akamai DDoS guidance and runbook reminders
As was the case in late summer 2020, we continue to hear about more attacks than we see in the data, as attacked customers seek emergency integrations (we don't have visibility into customer traffic until they are onboarded). Attack attempts and follow-on attacks also lessen once subnets and IP spaces are routed onto Prolexic for protection, as threat actors tend to move on to other organizations that don't have adequate defenses in place.
We advise organizations to consider DDoS protections for all critical assets -- both customer- and internal-facing -- as the campaign continues, and extortion as a top attack motivator shows no sign of letting up. And for companies that have put off updating runbooks and tabletop attack exercises due to COVID-19, now is the time to ensure that incident response plans and processes are current -- not after you've experienced a DDoS event.
If you are currently under attack or threat of extortion, reach out to the Akamai DDoS hotline, 1-877-425-2624, for immediate assistance. Additionally, if you receive an extortion email, please contact local law enforcement. The more they have to work with, the more likely it is the criminals will be stopped.
For more technical details and additional resources, please see the following blog posts: