Wednesday, February 21, 2024
Daily Tech Updates

ID11 Cyber Threat Actors Branch Out to New Forms of Extortion

By TrendsTechBlog , in SECURITY , at August 31, 2022 Tags: , ,

Cybercriminals continue to target hard-working businesses at any opportune moment with an increasingly complex patchwork quilt of attack vectors. Following the latest trend in low-risk, high-profit extortion, DDoS attacks are now regularly being combined with ransom attacks. What is RDDoS and how can you protect yourself against this growing threat?

Ransomware: The King of Ransom

The concept of taking sensitive data hostage is quite old. The original ransomware – dubbed the AIDS trojan – cropped up in 1989, as its creator distributed a floppy disk at the World AIDS convention. Claiming to include information on the titular virus, the disk instead contained a payload that would first count the number of boot cycles, then – upon the number hitting 90 – proceeded to encrypt system files with a simple encryption method. To have their files decrypted, victims were told to send to an address in Panama. Thankfully, the encryption was fairly simple, and decryption programs were soon commercially available. 

Ransomware attacks did not hit their stride until well into the 2000s. This was partially due to a lack of suitably anonymous payment. By the time Bitcoin hit the scene in 2010, encryption technology had advanced to an almost irreversible state. Military-grade encryption is now easily available for the aspiring criminal, and the rapid adoption of cryptocurrency perfectly set the stage for major ransom attacks. 

Individuals and businesses the world over were totally unprepared for the explosion of CryptoLocker in 2013. This brand-new breed of ransomware made use of cryptography key pairs, generated from a command-and-control server, making sure victims had no way out unless they sent the ransom of $300. 

The Rise of Encryption-Free Ransom

Ransomware’s sheer profitability predicted its meteoric rise in popularity. A key component to the ransom process is removing the target’s control over their data via encryption. Increasingly, however, cybercriminals have achieved this through remote data theft. Part of the success of this technique relies upon the spiraling cost of data breaches: the average cost of which has already increased by 2.6% this year, from $4.24 million in 2021 to $4.35 million now.

The number of ransom attacks that are veering away from encryption shows that cybercriminals are rapidly exploring an easier, less demanding form of ransom. By exfiltrating unencrypted data, and threatening to leak it publicly, the legibility of the data means a company must make the choice between paying the ransom and letting their customers’ data be publicly leaked and sold to other criminals.

Karakurt is a new extortion gang that relies purely on these unencrypted ransoms. With victims’ losses as high as $13 million, the group attacks indiscriminately. Karakurt attackers will steal sensitive data including security numbers, email addresses, company blueprints, and more. Once they’ve stolen this data, they reach out to victims’ employees, business partners and clients, demanding the ransom to be paid. The threat of a data breach hanging heavy, many organizations cave to the incessant harassment and pressure to pay up.

Ransom Distributed Denial of Service (RDDoS) attacks heighten the stakes even further: the business is not offered a choice between paying the ransom or suffering a data breach. Instead, the business must pay extortionate fees to simply remain online. RDDoS groups extort victims via large scale DDoS attacks that are even easier to pull off than data exfiltration attacks. Requiring absolutely no access to company systems, and with operational botnets plentiful on underground marketplaces, it is now easier than ever to commit high-profit extortion attacks on unsuspecting victims. Consider the fact that DDoS attacks cost US businesses an average of $218,000 per attack: any ransom priced below this presents a genuinely tempting option. 

Attackers may launch DDoS attacks first, then send a ransom note later – lazy criminals may opt for a note first. It is never wise to assume the latter is telling the truth, as opportunistic scammers are more than happy to profit off the technical capabilities of real cybercriminals. 

The RDDoS Hit List Grows

RDDoS attacks hit the scene in 2020, and rapidly made waves. The New Zealand stock exchange battled multiple instances as their network service provider was struck from overseas. This greatly impacted NZX connectivity, causing a complete halt in the cash trading markets by mid-afternoon. 

A second attack proceeded to bring down the NZX’s website, their announcement platform, the NZX debt and Fonterra shareholders’ markets. For this time, many organizations and individuals were unable to participate in the market. Connection was restored four hours later, once the attack had ended and connection was finally re-established.

An active DDoS attack can be incredibly alarming to both customers and organizations alike. Whilst it’s unclear whether the NZX decided to pay up for the ransom or mitigate the attackers’ attempts, a growing number of cybercrime gangs are simply opting for the easy way out. This perfectly describes the so-called Armada Collective. This group follows a very recognizable set of steps.

First, they find a company – any will do, though the bigger and more public-focused, the better. They then reach out to any email address available, with a highly alarming message.

Introducing themselves as the Armada Collective, the email explains how the victim’s network will be DDoS-ed, starting at a specified date in the very near future – unless the company pays a fee of 10 Bitcoin. 

The gang then proceed to detail how – if the 10 BTC is not paid by the set date – a DDoS campaign will begin, and the fee to make it stop will rise to 20 BTC, then continue to rise by another 10 BTC for every day that the attack continues. 

The gang signs off by telling their victims not to respond: simply that they will know when they have been paid. The email details the Bitcoin wallet address, and reassures the reader that the payment is totally anonymous. This is correct – and also shows the holes in the attackers’ gameplan. As the payment is anonymous, it is, in fact, impossible to tell who has paid the extortion fee. This is supported by the fact that Armada Collective has actually never followed through with their DDoS threats – regardless of whether the fee is paid or not.  Despite the group’s lack of true damage, an analysis of their listed Bitcoin wallet address revealed a shocking number of victims. Many victims have paid the ransom fee out of fear.

How to Protect Yourself From RDDoS

DDoS threats are originating from increasing numbers of cyber gangs. Fancy Bear, Cozy Bear and Lazarus Group are all organizations of concern, and the only way to nullify their power over your organization is a solid form of DDoS mitigation. 

DDoS mitigation defends against volume attacks on your servers and networks. Automatically detecting traffic from malicious IP addresses, the fraudulent connections are diverted away from your server before the site request has initiated. This way, your server is not crushed under the weight of a million-strong botnet, and legitimate customers are still allowed access to your page. Pull the rug from under profit-seeking criminal gangs, and keep your brand online with a comprehensive DDoS defense.

Also Read: PCB Benefits To Integrating Into Your Manufacturing Business