DDoS Extortion Campaigns (Ransom DDoS, or RDoS) To Watch Out For

A ransom-driven DDoS attack is a new scheme performed by a group of cybercriminals that threaten to launch Distributed DoS attacks against unprotected companies. These groups extort victims by demanding ransom payments and intimidating them.

Ransom DDoS can be so deadly because first, it creates fear, and second (if they are executed), they can hold the service of systems, websites, servers, or entire networks “ as prisoners.” 

Organizations victims of these DDoS extortion campaigns see no other way than to “buy back” their compromised service.


How Did Ransom DDoS Come into Existence?

Many DDoS attackers were initially hacktivists. These were attackers motivated by political indifferences and used the attacks against organizations that differed from their values. But now, hacktivism is nearly dying. Data published by the IBM X-Force confirmed that the hacktivism activity dropped 95% since 2015. Now, hackers have a different drive: They are mainly motivated by financial gains. So whatever skills they have, they’ll put it into cybercrime. Although DDoS threats with monetary gain have been going around for a couple of years now, it was never taken seriously. During this year (2020), with the COVID-19 and everyone working at home, the outbound threats and extortion levels have exploded. In August 2020, the Ransom DDoS (RDDoS) campaigns started to be very aggressive. Well-known hacking groups as Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective were identified to be behind these campaigns.According to a recent FBI report, these criminal groups are targeting the financial, retail, and e-commerce industries. Other groups of cybercriminals have started to adopt the same model, and although some of them didn’t even have the resources and skills to make a proper DDoS attack, they do have the money to hire someone else to do the dirty job. DDoS attacks are trendy criminal commodities. According to the same FBI report, booters and stressers are two DDoS-for-hire services that were creating massive havoc for a profit.

What is a Ransom DDoS? In Detail. 

In a nutshell: Attackers extort businesses with vulnerable systems and applications. They threaten to compromise these systems with a DDoS attack and ask for a ransom.Ransom DDoS is not a one-size-fits-all attack. First, it depends on the target; the attacker would need to perform active reconnaissance and scanning to find vulnerabilities. If the victim is already weak, attackers could use their own botnet. But if they don’t have the resources for denying service to large targets, they are likely to go for a Hackers-for-hire or DDoS-as-a-Service. 


a. In the RDDoS world there are two modus operandi.

1. Perform DDoS first. They’ll perform the DDoS attack first and then send the ransom note demanding payment to stop the undergoing attack. This is how kidnapping operates; they hold someone for ransom and promise to release only after payment is complete. This type of attack can be resource-intensive for the attackers. 

Hackers gather intelligence. Perform a DDoS attack.  The company receives a ransom note. The DDos Stops only if payment is sent.

2. Send an extortion note first. This is a more popular approach now. The victim receives an extortion letter saying that if they don’t pay a ransom within 6-7 days, they will receive a DDoS attack. The extortion letter might also be accompanied by a small-scale DDoS demo attack to prove that the attackers are in control. 

Hackers gather intelligence. A company receives a ransom note. Perform a small-scale DDoS demo Wait 6-7 days until the real attack

b. How do RDDoS attackers TRY to control the situation?

A well-executed DDoS can be destructive and hard to stop. If a DDoS does take down the service, then this is proof of their control. But powerful DDoS attacks are very hard to execute. It is nearly impossible to throw a 3 Tbps attack for 24 hours (if they are, then it is a very serious situation).Attackers may try to gain control using the following threats:

  1. They could take credit for previous DDoS attacks that targeted the same victim. Or pretend to be the originators of an undergoing attack.
  2. They could also use the small-scale DDoS demo to give them a false sense of control. Hackers are likely using a handful of computers performing intense DoS attacks towards the single target.
  3. To instill urgency and rush the victim to comply, hackers include a hard deadline with cumulative fees. They’ll usually set up a payment deadline (6-7 days) continued by the DDoS attack. If the victim fails to pay the initial fee in the requested deadline, the DDoS traffic and the amount increases by the day (or hour). 

c. What are the cybercriminal requests?

Hackers typically request Bitcoins as payment. According to their ransom note, if a business can’t pay the initial amount on the requested day, they’ll start the attack. The initial demanded amount varies according to the target, but sources suggest that it can be anything from 1/2- 20 Bitcoins ($7,500 to $290,000) to be paid. 

d. Receiving the DDoS.

According to the FBI, most Ransom DDoS victims reported not receiving the major DDoS attack after the first deadline. Still, all acknowledge that the small-scale demo could have been mitigated as it did affect some services.The FBI has also reported that the cyber-criminals use a variety of DDoS attack vectors— from SYN Flood, DNS Flood, CLDAP, GRE Protocol Flood, and SNMP Flood. So depending on the type of DDoS attack and the security of the target, service downtime may be a matter of seconds, hours, days, or even weeks. When does it stop? The DDoS comes to a halt when the attackers deplete their resources, or it is stopped with an automatic mitigation tool. 

How to Fight Against RDDoS? 

First and foremost, the FBI recommends NOT TO PAY THE RANSOM for several reasons. 

  1. There’s no guarantee that the attack is authentic and will come. Anyone can write a ransom note, but not just anybody can do an effective DDoS.
  2. The payment does not guarantee that the DDoS attack will stop. 
  3. Additionally, the FBI states that these criminal organizations are looking for funding to scale their attacks and target other higher-profile organizations. And if you pay them, they are likely to come back as you are another easy-to-comply victim.
  4. If an attack does come to some degree, understand that the most powerful DDoS attacks require extensive resources to execute and maintain. An attacker with some resources can also hire a DDoS-as-a-Service. But again, this requires time, effort, and money from the attacker.

Putting up a DDoS mitigation plan. 

Threats that put security at risk should be taken seriously. Before it is already too late, begin by putting up a mitigation plan. Identify and implement the right actions that will reduce (or eliminate) potential downtimes. The two of the best actions to prepare for an attack are distributing workloads/data and putting a DDoS mitigation filtering in place. Using a Content Delivery Network (CDN) will usually not stop the attack, but it will help mitigate their strength – as it depends on the type of DDoS. It can help distribute the load and avoid a single point of congestion.DDoS protection by solutions like Cloudbric’s Smart Web Application Protection (WAF) will protect all Internet-facing assets. This cloud-based service receives all traffic, analyzes it, and filters it. WAF’s DDoS protection will keep track of connections, be aware of blacklisted IPs, and perform DPI (Deep Packet Inspection) at layer 7. And most importantly, it will limit the rate in case of a suspicious DDoS volumetric attack. 


WAF is a Web-Application Firewall, backed up with AI-based deep learning. WAF detects DDoS by filtering out malicious traffic, and uses AI to adapt to the patterns. 

During a DDoS Attack.

For a threat to work, it might take some social engineering skills. But an undergoing DDoS attack is no longer a threat— it is likely already doing severe damage. 

  1. First off, don’t panic! Panic will make you rush into making the wrong decisions. Bring your IT personnel together to discuss and find a solution. 
  2. File a case with local authorities. If possible, report it to the appropriate local law enforcement authorities. Get a case file opened on your local police and get all documentation in order. Reporting the cyber extortion to police will likely not solve your problem. Still, it helps push more resources into cybercrime investigations, catch the bad guys, and prevent this from happening in the future. The FBI urges victims to report these schemes to local intelligence authorities and to use DDoS mitigation services to identify and stop these attacks automatically. 
  3. Last but not least, let the Smart DDoS Mitigation Tool do the job!