Ransomware/DDoS combined attack

  • Fabian Sinner
  • May 11, 2023

Table of content

    Ransomware/DDoS combined attack

    DDoS attacks as a dangerous smokescreen

    Distributed denial of service attacks is currently on the agenda throughout Europe. However, due to the current situation, such attacks are no longer only used by criminal elements but are also increasingly abused for politically motivated purposes.   

    While DDoS attacks alone are already a high challenge for companies and have caused major damage in the past, a certain combination of attack patterns holds a disproportionately higher potential for damage: a distributed denial of service attack that cleverly masks the infiltration of ransomware due to the force generated. 

    Overview Ransomware

    Ransomware is malicious software (malware) that cybercriminals like to use to gain access to data or networks of individuals or companies. After that, the criminals block access to them and demand exorbitant ransoms to unlock them.  

    A major issue with ransomware is that even if you pay the ransom, there is no guarantee that the evildoers will restore access to your data. For this reason, the BKA, for example, expressly warns against accepting blackmail and paying the demanded amount.  

    In addition, the threat from malware has exploded due to Ransomware-as-a-Service (RaaS). With RaaS, developers freely offer the ransomware they have programmed themselves for sale, opening the door to actors who could not have developed ransomware themselves. Authorities warn that this dangerous trend will continue to manifest in the future.  

    Using ransomware is a criminal act and will therefore be prosecuted by the authorities. 

    DDoS attacks as a distraction for ransomware

    DDoS attacks used as diversions in a multi-layered approach are not new. However, as DDoS attacks are used more frequently and intensively than in the past, the risk of something being overlooked amid defensive efforts grows.   

    In the case of a DDoS smokescreen, the traffic profiles become so congested due to many requests that noise is created. Furthermore, as each incoming and outgoing packet must be checked computationally intensively, extremely sensitive data theft detection and prevention systems are activated. This can quickly lead to data traffic overloading systems.  

    Because there is always a risk of general system overload and associated reputational and financial losses in the event of a DDoS attack, IT will typically use all available resources to mitigate the incident as effectively as possible. This, however, can result in divided attention and a failure to see the big picture.   

    There is an absolute danger in such moments of carelessness because criminals can then feed their malware, such as ransomware, into the system unhindered. Unfortunately, it is usually too late by that point. 

    Triple extortion increasingly popular

    Triple extortion is becoming more common in place of the simple introduction of ransomware. Criminals use a particularly dangerous approach in such an attack, designed to extract money from the victims’ pockets on three levels:  

    The threat of a DDoS attack: The attacks are launched if the target does not respond to the demands. If an opportunity presents itself, malware is injected at the same time.  

    • Malware infiltrates systems and encrypts critical data sets. 
    • Exfiltration of sensitive customer data to external servers: The company is threatened with making the data publicly available on the Internet.  
    • Ransomware-as-a-service, flourishing among cybercriminals, is massively boosting the trend of such attacks.   

    The consequences for companies are enormous: Stolen and, in the worst-case scenario, published customer data is poison for any company’s external image. If access to the company’s own IT infrastructure is encrypted and the company is locked out of its system, the consequences go far beyond horrendous costs or long-term reputational damage. 

    Examples of Triple Extortion

    In mid-2022, the FBI explicitly warned multiple times about “AvosLocker,” a criminal group that launched attacks on U.S. critical infrastructure based on Ransomware-as-a-Service. Prior to the malware’s deployment, targets were threatened with intense DDoS attacks if they did not respond to the group’s demands.  

    January, 2022: The criminal cyber group “Uawrongteam” attacked the popular US calendar service “Flexbooker” with a massive DDoS wave and throughout all the chaos personal data of over 3.7 million customers was stolen.    

    BlackCat, also known as the ALPHV ransomware gang, is known to transfer a company’s information before encrypting the data. If the company refuses to pay the ransom, the service offered by the ransomware group also includes DDoS attacks as an additional extortion technique to force the victim to pay. One attack example involved the energy company “Oiltanking”, when the entire IT system there was paralyzed. 

    How to protect against a combination of DDoS and ransomware?

    Companies should prepare effectively for such worst-case scenarios. Only an optimally positioned line of defense can stop such dangerous attacks or, in the best case, prevent them from happening. Therefore, during an attack, it is first and foremost important to have a response plan and all steps for the subsequent system recovery ready.    

    These three steps can further strengthen the line of defense:  

    (1) Proven and cloud-based DDoS protection 

    You can’t be rattled by threats when you can rely on effective DDoS protection. DDoS attacks are effectively combated, and infrastructure is spared. Moreover, a modern protection system acts in an automated manner, giving the human staff behind its time and space to pay attention to other anomalies, such as malware.  

    (2) Zero trust policy   

    With a zero-trust policy, every transaction and all identities are considered untrusted. This approach helps to be constantly alert and not assume the system is safe. In this way, security risks are more likely to be noticed, and sources of danger can be eliminated before they become a problem. An explicit example is the control of potential phishing emails, which are still considered a major gateway for ransomware.  

    (3) Secured web gateways  

    Enterprises should deploy a cloud-based solution to protect the web gateway, using features such as Secure DNS to make unwanted data extraction as difficult as possible. This approach increases resilience many times over, significantly reducing the risk of stolen data.  

    Do you still have questions regarding DDoS attacks, Ransomware and Triple Extortions? Feel free to contact us; our colleagues will be happy to assist you anytime.  

    Contact us now >> 

    Link11 DDoS Report at Mid-Year Reveals 33% more Attacks
    How Cloudflare CEO Matthew Prince unintentionally Boosts DDoS Ransom Mails