Ransom DDoS attacks: Tips and strategies against the threat of blackmail

2. February, 2023

A DDoS attack (Distributed Denial of Service) describes a targeted attack on components of the IT infrastructure or even on individual IT services in order to cause a service outage. Criminals send a large number of supposedly valid requests to a single target until an overload of the system occurs and it is no longer able to process all requests simultaneously and in a timely manner. It becomes inaccessible to legitimate users.

Successful (ransom) DDoS attacks affect the direct, but also indirect availability of services, for example if basic services such as DNS or authentication are also affected. Thanks to sophisticated programmes, both organised groups and individuals can carry out the attacks.

Course of RDoS attacks

A further development of DDoS scenarios, based on the concept of ransomware, is the RDDoS attack (Ransom Distributed Denial of Service). In this case, the actors combine a denial-of-service attack with a concrete ransom demand. The ransom demand can be placed before the technical attack in order to prevent it, or during the attack in order to stop it.

RDoS threats should always be taken seriously, even if there is not an actual DDoS threat behind every ransom demand. A large network of compromised devices (botnet) is necessary for a successful attack. However, this can be easily hired via “cybercrime-as-service” providers. It is worthwhile if the victim pays as quickly as possible and no other problems arise.

Companies where even short outages cause considerable damage are particularly popular targets of attack. However, payment does not solve the problem in the long run, because a repetition of the attack by the same or another attacker would be possible at any time.

Protection against (R)DoS attacks

Targeted preparation for possible dangers and risks is an essential success factor. Current next-generation firewall systems that support the appropriate functions help. However, defence and detection of invalid requests are not always enough. Identifying which systems would be particularly affected by these attacks is the basis of precautionary and emergency planning. [1]

Important services such as websites or other large portals should be operated by a good hosting provider. This should include precautions against DoS attacks, which can help and support if necessary.

If systems are operated within a company with its own internet connection, this physical line is usually the limiting factor. Countless requests overload it. Often, the direct service provider can support or even offer services to detect and mitigate DoS attacks.

Prepared cloud-based services can also provide DoS filters, reserve resources or backup services. Such activation often makes it possible to at least bring emergency services online and surprise the attacker with some countermeasures.

Conclusion: In general, the recommendation is never to accept demands from cybercriminals. Once they know that a company is willing to pay, other types of attacks can follow. The good news is that a DoS attack at least does not permanently damage or manipulate one’s own systems. If the attacker has the impression that a company is well prepared and does not respond to demands, it is usually not worthwhile to continue. The chances are then good that the actor will move on to look for an easier victim.

Living Off the Land attacks

MSSP of the Year 2024

SIEM

What is a SIEM?

Nozomi Guardian Air
HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung
Indicators of Attack

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download