Ransom DDoS attacks: Tips and strategies against the threat of blackmail

A DDoS attack (Distributed Denial of Service) describes a targeted attack on components of the IT infrastructure or even on individual IT services in order to cause a service outage. Criminals send a large number of supposedly valid requests to a single target until an overload of the system occurs and it is no longer able to process all requests simultaneously and in a timely manner. It becomes inaccessible to legitimate users.

Successful (ransom) DDoS attacks affect the direct, but also indirect availability of services, for example if basic services such as DNS or authentication are also affected. Thanks to sophisticated programmes, both organised groups and individuals can carry out the attacks.

Course of RDoS attacks

A further development of DDoS scenarios, based on the concept of ransomware, is the RDDoS attack (Ransom Distributed Denial of Service). In this case, the actors combine a denial-of-service attack with a concrete ransom demand. The ransom demand can be placed before the technical attack in order to prevent it, or during the attack in order to stop it.

RDoS threats should always be taken seriously, even if there is not an actual DDoS threat behind every ransom demand. A large network of compromised devices (botnet) is necessary for a successful attack. However, this can be easily hired via “cybercrime-as-service” providers. It is worthwhile if the victim pays as quickly as possible and no other problems arise.

Companies where even short outages cause considerable damage are particularly popular targets of attack. However, payment does not solve the problem in the long run, because a repetition of the attack by the same or another attacker would be possible at any time.

Protection against (R)DoS attacks

Targeted preparation for possible dangers and risks is an essential success factor. Current next-generation firewall systems that support the appropriate functions help. However, defence and detection of invalid requests are not always enough. Identifying which systems would be particularly affected by these attacks is the basis of precautionary and emergency planning. [1]

Important services such as websites or other large portals should be operated by a good hosting provider. This should include precautions against DoS attacks, which can help and support if necessary.

If systems are operated within a company with its own internet connection, this physical line is usually the limiting factor. Countless requests overload it. Often, the direct service provider can support or even offer services to detect and mitigate DoS attacks.

Prepared cloud-based services can also provide DoS filters, reserve resources or backup services. Such activation often makes it possible to at least bring emergency services online and surprise the attacker with some countermeasures.

Conclusion: In general, the recommendation is never to accept demands from cybercriminals. Once they know that a company is willing to pay, other types of attacks can follow. The good news is that a DoS attack at least does not permanently damage or manipulate one’s own systems. If the attacker has the impression that a company is well prepared and does not respond to demands, it is usually not worthwhile to continue. The chances are then good that the actor will move on to look for an easier victim.