RDDoS attacks and DDoS-as-a-Service: Extortion and Business Continuity
Table of Contents
RDDoS attacks pose a growing threat to all kinds of companies which see their business continuity threatened by criminals
As we have learned from mafia movies, from The Godfather to Gomorrah, one of the pillars of the business model of these groups is the extortion of local merchants and entrepreneurs, to whom they offer their «protection services»; in other words, they demand a periodic payment in exchange for not attacking them and protecting them against rival mafias. RDDoS attacks, or distributed denial-of-service attacks that require a ransom follow a similar logic. The criminal groups that employ them threaten their victims with DDoS attacks if they do not pay the ransom beforehand. Or they launch these attacks and then demand a ransom to stop them.
Targeted denial-of-service attacks challenge companies’ defensive capabilities because the system or service under attack (websites, e-commerce, DNS, APIs, etc.) is attacked from multiple sources thanks to botnets. This strategy makes it difficult to differentiate between legitimate traffic from attackers to block it.
Hence, the rise of RDDoS attacks represents a new twist that makes the threat landscape more complex.
These attacks result from the hybridization and sophistication of hostile actors’ techniques, tactics and procedures and the emergence of aaS (as-a-Service) models for criminal purposes. These models package attacks so that they can be carried out by people who lack the knowledge and resources to design and implement them autonomously.
In the following, we will analyze the keys to RDDoS attacks and highlight the importance of performing DoS tests to ensure that systems exposed to the Internet can cope with this type of attack.
1. Targeted denial-of-service attacks, a classic that never dies
A review of cyber-attack news shows that DDoS attacks continue to be a significant threat to the cybersecurity of companies, institutions and citizens.
In recent days, a DDoS attack has paralyzed the Destiny 2 video game, with millions of users, for more than a week; a criminal group associated with Russia has caused disruptions in the operation of Canadian airports; and a DDoS attack prevented access to the website of the German agency that regulates the financial market.
These cases highlight the proliferation of DDoS attacks, which seek to saturate the resources of their victims, causing servers to stop serving legitimate customer requests and, therefore, resulting in a service outage or disruption.
The impact of targeted denial-of-service attacks, which can affect business continuity, has prompted cybersecurity specialists and companies to invest resources and expertise to optimize defensive capabilities. How have cybercriminals reacted?
- By sophisticating their TTPs. This has led to more complex and advanced attacks, such as DNS Water Torture, used to attack Navantia, Renfe, the Ministry of Justice and even the Royal Household.
- Modifying their objectives, as in the case of RDDoS attacks that are not focused on paralyzing the system or service under attack but use this threat to obtain direct economic benefits.
- Shining a light on new criminal models. Just as Ransomware-as-a-Service platforms have increased on the Dark Web in ransomware, this type of attack has been packaged in terms of DDoS attacks, which means that more hostile actors can launch targeted denial-of-service attacks.
2. DDoS-as-a-Service: Exponential increase in potential attackers
The emergence of Software as a Service or Platform as a Service has led to a revolution in the implementation of powerful technological developments in companies worldwide. The leap to the Cloud allows companies to contract multiple services of great utility for their business models without needing physical infrastructure to host them.
As has happened with all technological transformations, criminals can appropriate the aaS model to use it maliciously. In such a way that DDoS attacks, among others, are marketed on the Dark Web, making them available to thousands of potential hostile actors. How does this model work?
- An actor with the knowledge and resources to develop DDoS attacks and who has a botnet to execute them offers his services in exchange for money, usually payment in cryptocurrencies, which are more difficult to trace.
- The buyer selects the target of the attack, the type of DDoS, the campaign’s duration and the attack’s intensity.
- Moreover, as has happened with RaaS, DDoS-as-a-Service has been evolving so that loyalty programs, subscriptions and memberships are now offered to attract more customers and thus multiply the number of attackers.
2.1. Hostile actors’ objectives
What are the objectives of hostile actors who engage in DDoS-as-a-Service?
- To boycott competing companies by paralyzing their services exposed to the Internet.
- To attack public administrations and companies as part of a hacktivist strategy, such as the attack suffered by several US and European medical institutions using the DDoS-as-a-Service platform, Passion, at the hands of pro-Russian groups.
- Extorting companies or institutions, as in the case of RDDoS attacks.
- Intimidating a company as part of a more ambitious attack strategy.
- Using DDoS attacks as a distraction to capture the attention and resources of defensive teams to launch another kind of attack, such as malware or ransomware injection.
3. To jeopardize the business continuity of all kinds of companies.
The objectives we have just outlined show that we are facing a scenario in which potential attackers are multiplying, and the targets are multiple.
One of the most widespread misconceptions about cybersecurity is that cybercriminals only target large companies. The data published year after year confirms that SMEs are continuously targeted, with the aggravating factor that they lack the financial resources and professional talent that more giant corporations have to deploy a solid security strategy. The consequence is that, according to Google, 6 out of 10 small and medium-sized companies that suffer a successful security incident end up going out of business.
Within this worrying picture, paying attention to RDDoS attacks and all targeted denial-of-service attacks in general is essential. Why? They pose a direct threat to business continuity, especially for those companies whose Internet-exposed services play a crucial role, for example, companies that market their services or products through e-commerce.
Let’s take the case of Destiny 2. The paralysis of the game for more than a week translates into economic losses in the millions and incalculable damage to its reputation.
3.1. More attackers, more potential victims
The proliferation of DDoS-as-a-Service models and the rise of RDDoS attacks also means that the target of denial-of-service attacks is vast. Why? If it were necessary to invest too much in resources, attacking companies of a specific size and public institutions would only be profitable.
DDoS-as-a-Service models, on the other hand, make attacks cheaper and accessible to a wide range of hostile actors who do not necessarily have to have a high level of technical expertise.
RDDoS attacks are designed for direct financial gain. This money is used to finance future episodes and the acquisition of more means to execute them and make them more sophisticated and ambitious. This is why companies that are victims of RDDoS attacks are actively and passively advised not to pay the ransom demanded. Even if they manage to stop the incidents, they will be reinforcing the criminal group that has threatened business continuity, making it possible for it to carry out new attacks.
3.2. RDDoS attacks and the power of the threat
People have been using threats to achieve their goals and as a weapon of war since the dawn of humankind. RDDoS attacks are precisely the result of adding the power of a threat to the techniques, tactics and procedures typical of targeted denial-of-service attacks. The criminals who carry them out send their victims a ransom note in which the company can be threatened in various ways:
- Claiming a previous successful DDoS attack and stating that it is poised to provoke a new security incident.
- Announcing that the group is behind an ongoing DDoS attack that will not stop until the ransom is paid.
- Threatening to launch an attack unless the requested payment is made.
The ransom note can also include critical information to increase its credibility: providing technical aspects of an attack or claiming that it was launched by a known criminal group, such as the various APT groups threatening global security.
Also, the ransom note specifies the amount of money requested, usually in cryptocurrencies, and the deadline for payment to increase the pressure on the victim.
4. Black Friday and Christmas: Criminals have the last quarter of the year marked in red
RDDoS attacks are a particularly relevant threat in the last months of the year. Why? Black Friday and Christmas are overlapping commercial campaigns that boost sales in the digital channels of thousands of companies. From a multinational company to a small business that sells organic products made in rural areas.
Hence, many criminals are tempted to launch RDDoS attacks to earn large amounts of money through extortion. They benefit from the fear that thousands of businesses may feel that a targeted denial-of-service attack will paralyze their services and prevent them from obtaining essential income for the results of their companies. This is especially true for companies whose digital sales channel is crucial to their business strategy.
How can companies prevent RDDoS attacks, and how can they deal with them knowing that their defensive capabilities are ready to deal with a targeted denial-of-service attack?
- Strengthen systems and services to successfully handle traffic and sales peaks (such as Black Friday) and avoid outages that negatively affect sales generation.
- Use Cloud server providers and hire several servers to increase redundancy and ensure business continuity in the face of RDDoS attacks.
- Perform denial of service or DoS tests.
5. DoS Test: Evaluate resilience and response to RDDoS attacks
Load or denial of service tests are essential to test the resilience and responsiveness of systems exposed to the Internet.
Tarlogic Security professionals have developed an effective DoS Test methodology that has already been successfully implemented in hundreds of companies wishing to protect their systems exposed to the Internet.
What do these denial of service tests consist of? Various techniques are used to simulate this type of attack in controlled environments. The objective is to test the saturation levels of a company’s various services by simulating a large amount of traffic. These tests are generally carried out when the company has a lower workload.
To fine-tune the maximum capacity of the target service, professionals run increasingly demanding tests until resource saturation is achieved.
5.1. Benefits of denial-of-service testing
What are the benefits for companies that contract DoS tests?
- Thanks to the simulation of attacks, accurate load test data are obtained, which are used to evaluate the security of services.
- DoS tests make it possible to test the response time of a company’s defensive capabilities in the event of a DDoS attack.
- Denial-of-service tests are helpful when analyzing the resilience of backend systems since they force their self-scaling capacity to handle all the load required by the simulated attack.
- They detect vulnerabilities in the system or application exposed to the Internet that hostile actors could exploit to launch DDoS attacks.
In short, targeted denial-of-service attacks not only continue to be a very relevant threat for all types of companies, but DDoS-as-a-Service platforms and RDDoS attacks have increased the potential number of hostile actors that can launch this type of attack and, therefore, the number and type of companies that can be victims of them.
It is, therefore, crucial to perform denial-of-service tests to improve resilience against these attacks and optimize response capacity to guarantee business continuity, especially for critical services and at particularly sensitive times for business strategies, such as Black Friday or Christmas.