Over the past few months, our security operations group have identified and mitigated an increasing number of DDoS attacks tied to extortion attempts from different cyber crime groups, including DD4BC, Armada Collective and a few more unnamed ones. These DDoS extortion attempts are starting to exploit smaller websites that may be less able to defend themselves.
DDoS Ransom Email
It all starts with an simple email similar to this one:
Subject: Ransom request: DDOS ATTACK!
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are [Criminal Group].
All your servers will be DDoS-ed starting Friday if you don’t pay 2 Bitcoins @ [BITCOIN ADDR]
When we say all, we mean all – users will not be able to access sites host with you at all.
Right now we will start 30 minutes attack on your site’s IP (victims IP address). It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It’s just to prove that this is not a hoax. Check your logs!
If you don’t pay by Friday , attack will start, price to stop will increase to 4 BTC and will go up 20 BTC for every day of attack.
This is not a joke.
This ransom email is followed by a small scale DDoS attack that can last from 30 to 60 minutes. After 24 hours, if the ransom is not paid, the attacks increase and can last many hours.
DDoS for Bitcoin
This type of extortion activity started last year (around Jun of 2014) and focused mostly on Bitcoin exchange sites and financial institutions. They were a rare occurrence with an attack every couple of months.
The ransom prices were high at around 40 Bitcoins ($14,000 USD) to stop the attacks.
By the beginning of 2015, these DDoS extortion campaigns picked up steam with a group called DD4BC (DDoS for Bitcoins) attacking many properties in a small period of time. They got a lot of media attention and some interesting analysis was done by the Arbor and Akamai teams on their activities and tactics:
It Won’t Happen to Me
Even though the media and security companies were already talking about this DDoS extortion threat, for most webmasters it felt like a foreign threat only affecting very large institutions and financial websites.
However, over the course of the last couple of months, we started to see an increasing number of extortion attempts against more average-sized sites. Everything from forums, small e-commerce and even some online gaming properties started receiving the threats and being DDoS’ed.
The price to stop this new wave of attacks also went down significantly, to just 2 Bitcoins ($700 USD). We are seeing these new DDoS ransom attempts more and more from what seems like an unnamed copy-cat group. They send a similar email threat:
All your servers are going under attack unless you pay 2 Bitcoin.
Pay to [BITCOIN]
Please note that it will not be easy to mitigate our attack, because
our current UDP flood power is 200-300 Gbps.
Right now we are running small demonstrative attack on 1 of your IPs: [REMOVED]
Don’t worry, it will not be hard, since we do not want to crash your
server at this moment, and will stop in 60 minutes. It’s just to prove that
we are serious.
We are aware that you probably don’t have 2 BTC at the moment, so we
are giving you 24 hours to get BTC and pay us…
This is followed by a SYN flood and layer 7 attack against the site.
After 24 hours, the attacks generally increase in size and can reach up to:
- 3-4 million packets per second – Syn Flood
- 400-500 HTTP requests per second – HTTP Flood
- 20-25 Gbps – UDP Flood
Most of the time we see all variety of DDoS attack types happening at the same time. That’s generally more than enough to take most sites down and get null-routed by hosting providers.
This increase in DDoS-for-ransom is concerning, as it seems that webmasters are often paying them. These attempts would just fade away if they were not financially lucrative. If you ever get such a threat, do not pay for them!
Again, do not pay these ransom requests. Instead of sending the money to the criminals you should reach out to your ISP or security provider to see if they can help you. If you have to spend the money, do so to protect yourself, but understand they may still attack you even if you pay the ransom. Like with all ransomware, your best option is to have backups and protection in place before your website is attacked.
You can also contact us and we will help you navigate through this experience. Plus, sites behind our Website Firewall (CloudProxy) are already well protected against these threats.