Ransomware Ddos

[Piperion Giles]

Inlate March, the FBI issued an advisory detailing the tactics of a ransomware gang that has been targeting victims in critical infrastructure sectors, including financial services, manufacturing and government.[1] In some cases, the FBI explained, ransomware operators will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations over the payout.

The vast majority of cyberattacks begin with a phishing email to an unsuspecting victim.[8] In fact, email is the top infection vector for ransomware incidents, according to a 2021 advisory from the Cybersecurity and Infrastructure Security Agency.[9] An email lures the recipient into opening infected attachments, clicking on malicious links or revealing their passwords. Some ransomware is using email in new ways (for example, entering networks via encrypted emails), to avoid email security filters.

On the DDoS side, attackers may send personalized emails threatening an attack as a way to extort money or, if an encryption attack is already in progress, to double down on companies that are slow to hand over demanded ransom. The DDoS attack itself will often begin with the infection of email-delivered malware capable of self-propagating on the network.

Instead of just encrypting data files on a workstation (plus any network drive it can find) and locking the machine, a new variant of the Cerber ransomware is now adding a DDoS bot that can quietly blast spoofed network traffic at various IPs, according to KnowBe4.

This is the first time DDoS malware has been bundled within a ransomware infection. It means that while the victim is unable to access their endpoint, that same endpoint is being used to deny service to another victim. Two attacks for the price of one (and two ways cybercriminals can make money off victims).

Many people get infected with ransomware but some are able to restore from backup. By adding a DDoS bot to the ransomware payload, these cybercriminals create a two-for-one and can squeeze network traffic out of non-paying victims and use it as another criminal revenue stream.

Ransomware and DDoS attacks are costly to organisations that fall victim in terms of reputational damage, picking up the pieces as well as potential enforcement from the ICO and compensation claims by data subjects.

Ransomware attacks are when a type of malware attempts to unlawfully encrypt files on a host computer system rendering them inaccessible and unusable (ICO). Victims of ransomware attacks are asked to pay, often in cryptocurrency, to have the data returned and/or decrypted.

DDoS (Distributed Denial of Service) attacks are malicious attempts to overwhelm a targeted server, service or network to disrupt normal traffic and render it inaccessible (Cloudflare). Nowadays, DDoS attacks are often amplified by hijacked IoT equipment and other connected devices.

Both type of attacks target one or more of the columns in the Confidentiality-Integrity-Availability information security triad, including blocking or inhibiting access to personal data, which can result in breaches of the EU GDPR or UK GDPR. Additionally, attackers can threaten to publish the personal data online if the victim fails to pay.

The ICO recently published new guidance on how to deal with ransomware attacks including stipulating what constitutes a personal data breach and additional preventative measures organisations should take. The ICO has highlighted that failure to follow available guidance has influenced their determination of whether organisations acted reasonably in meeting their obligations as data controller, and as a result, the penalty amount.

Additionally, an organisation may be exposed to compensation claims by data subjects for material damage or infringing their right of access. As we have seen with the rise of cookie claims by individuals, despite a low level of enforcement by the ICO, individuals are not afraid to try to claim back costs for loss of control, material damage and/or distress.

Preparation is key to preventing or at least mitigating the fallout of a ransomware or DDoS attack, and therefore an availability, integrity and/or confidentiality breach. The NCSC has a free online tool for planning a cyber incident management exercise and the ICO provides a 10-part checklist and several scenarios to help organisations tackle data breaches.

Squire Patton Boggs introduces you to Privacy World, your one-stop shop for fast-breaking news and views on the high-speed developments surrounding data privacy, security and innovation brought to you by lawyers that practice in this space every day.

Since 2020, ransomware and ransom denial-of-service (RDoS) have become ubiquitous with ransomware attacks grabbing headlines nearly every week. While ransomware and ransom DoS have a common objective and some of their tactics overlap, their techniques and success rate are quite different, and so is the threat and potential impact for organizations. Over time, as both threats evolved, they have been cross-leveraging reputation and techniques.

Ransomware attacks leverage a crypto-locking malware that destroys systems and makes data inaccessible. Crypto-locking malware needs to be deployed on servers inside the organization. Attackers need to breach the network or a device inside the network and then move laterally across the organization to impact as many systems and lock as much data as possible. Initial access is typically provided by Initial Access Brokers, the middlemen who use their own methods to breach and gain a foothold in networks and then sell that access to other threat actors, mostly ransomware gangs or their affiliates.

An RDoS attack starts with the attacker sending a private message, for example by email using a privacy-minded email provider, asking for payment of a certain ransom amount to prevent an organization becoming the target of their next attack. If an organization decides not pay within a set deadline, the attackers will start a DDoS attack and continue until the ransom is paid. Typically, the ransom demand increases every day the victim refuses to pay.

In reality, DDoS attacks tend to disappear as soon as the actor finds their attempts being successfully mitigated. They last for several hours, change vectors trying to evade the detection and mitigation systems, might spur up again several days after failed attempts, but ultimately the extortionists are forced to walk away empty-handed.

Techniques leveraged by Ransomware operators have evolved and diversified to increase the potential to reach their objective. As victims got better prepared and backups readily available to restore and recover from crypto-locking malware, Ransomware operators started exfiltrating sensitive data that would give them more leverage over the victim. If the victim still was not impressed, operators started threatening with DDoS attacks and pressured their victims into coming back to the negotiation table.

Speaking from personal experience, I have yet to see a DDoS attack that blasts through our defenses. That said, there is always a small window of time where bad traffic can potentially leak while detection algorithms are crafting automated signatures to block bad traffic and tune the signatures to avoid false positives that would block legitimate traffic. But in general, there is, in my experience, no reason to pay the ransom when protected by an adequate DDoS service.

Ransomware, on the other hand, is a very hard threat to defend against and eliminate. Ransomware operators have been organizing their underground ecosystems and gathered a lot of following from skilled hackers-for-hire and affiliates that are happy to share the profits from large extortion campaigns. The incentive has become too big, and the demand for hacking skills and resources on the underground has been growing ever since ransomware operators have had successful campaigns. With highly motivated threat actors looking for payments from organized cybercrime groups, attacks have shifted from automated to human operated attacks. It is one thing to defend against automation, but far more difficult to defend against human intelligence and perseverance driven by multi-million-dollar payouts.

Over the past year, two digital disasters have rocked the internet. The botnet known as Mirai knocked a swath of major sites off the web last September, including Spotify, Reddit, and The New York Times. And over the past week, the WannaCry ransomware outbreak crippled systems ranging from health care to transportation in 150 countries before an unlikely "kill-switch" in its code shut it down.

Close Topics Topics Cybersecurity Best Practices Cyber Threats and Advisories Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events News Events Cybersecurity Alerts & Advisories Directives Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks HireVue Applicant Reasonable Accommodations Process Hiring Resume & Application Tips Students & Recent Graduates Veteran and Military Spouses Work @ CISA About About Culture Divisions & Offices Regions Leadership Doing Business with CISA Site Links Reporting Employee and Contractor Misconduct CISA GitHub CISA Central 2023 Year In Review Contact Us Free Cyber Services#protect2024Secure Our WorldShields UpReport A Cyber Issue

Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations.

3a8082e126