Hubungi Kami

Cyber Ransom Blooms in the Spring

Abstract

In 2016, ransom was the #1 motivation behind cyber-attacks; half of organizations were subject to this extortion threat (according to Radware 2016-2017 Global Application Network Security Report). In parallel to the ransomware plague, Radware witnessed an emerging trend of hackers (and copycats) who extort organizations by posing an imminent threat of a DDoS attack – one out of six organizations was a victim. As IoT botnets have become more powerful, Radware has witnessed an increase in the number of ransom threats that companies have received in 2017. So far, two hacker groups have risen above the rest: XMR Squad and FancyBear. 

RDoS in 2017

In an RDoS attack, the perpetrators send a letter threatening to attack an organization—rendering its business, operations or capability unavailable—unless a ransom is paid by the deadline. These attacks have grown in number every year since 2010 and typically come in the form of a volumetric distributed denial of service (DDoS) attack. However, it is increasingly in vogue to find techniques that are more piercing and more efficient without generating large volumes. The most advanced attacks combine both volumetric and non-volumetric cyber-attack techniques.

RDoS ROI

RDoS has become financially rewarding to cyber criminals who enjoy large monetary gains for very small investments. For example – opening a bitcoin wallet and sending an extortion email costs nearly nothing. Distributing enough ransom letters will usually generate a few individuals/organizations that are willing to pay. Moreover, hackers increase their chances by paying as little as $20 for a DDoS-as-a-service program and launch a twenty-minute 1 Gbps-demo attack. The reward, in most cases, is thousands of dollars. For this reason, there have been many opportunists that emerged in 2016, such as the hacktivist group that tried to use the name of the infamous group Lizard Squad to spread fear and extort victims. This year it is a group pretending to be Fancy Bear/APT28.

FancyBear

At the end of April, FancyBear began sending out extortion attempts. The extortionist behind this campaign attempted to intimidate their victims by using APT28, a cyber-espionage group. APT28 is a nation state-level attacker that uses zero-day exploits and spear phishing attacks to spread their malware. RDoS campaigns are not FancyBears’ modus operandi.

The wording of the extortion attempt was similar to a fake Armada Collective letter from last year. FancyBear was requesting 10 bitcoins with the threat to increase by 10 bitcoins for each day without payment. Unlike genuine RDoS attackers, FancyBear did not launch a demonstration attack. Demonstration attacks prove that a threat is real. Ultimately, FancyBear never launched an attack. Their main objective was to leverage the name of a well-known threat to force the victim into paying the ransom.

XMR Squad

Radware’s ERT research is also monitoring another RDoS campaign in parallel. This new group, XMR Squad, has already targeted companies in Germany and the United States. Companies in Germany included DHL, Hermes, AldiTalk, Freenet and Snipes.com. The attack launched against DHL by XMR Squad shut down their customer portal and all API services.  

XMR Squad, unlike FancyBear, launched attacks against their victims. After launching a demonstration attack, XMR Squad emailed their victims requesting 250 Euros for testing their DDoS mitigation systems. Currently, a different group going by the name XMR Squad is requesting 2-3 bitcoins under the threat of a 300 – 600 Gbps attack. The time limit given for payment is 24 hours.

 

 

XMR Squad disappeared about one week ago but has since reappeared. The unusual part about XMR Squad is the way they went about branding and marketing themselves. They have a Twitter account, @XMR_Squad, a website, xmr-squad.biz, and did an interview. Notorious RDoS groups like DD4BC and Armada Collective did not have a website or Twitter accounts. 

Its likely that XMR went public during their original campaign so they could establish a name for themselves. When they come back, they would have an established reputation of launching attacks. The problem is the latest group to claim they are XMR Squad has not followed through with their threats. Radware has witnessed a number of extortion letters over the last several days, but the extortionist has not launched an attack. The new XMR Squad has also switched from requesting Euros to bitcoin. They are requesting payment with no demonstration attack and no follow through.

 

Attack Vectors

Most of these DDoS for ransom groups are running their own network stress, however some leverage publicly-available stressers to conduct their campaigns. When experiencing a DDoS for ransom attack, expect 100+ Gbps and multi-vector attacks simultaneously. The attack is likely to be persistent and last for days. Attack vectors include floods using the following protocols: 

  • SSDP 
  • NTP 
  • DNS 
  • UDP 
  • TCP RST 
  • TCP SYN 
  • SYN Flood 
  • SYN ACK 
  • SSYN 
  • ICMP

RDoS Groups

  • DD4BC
  • Armada Collective
  • RedDoor
  • exBTC
  • Kadyrovtsy
  • Borya Collective
  • Lizard Squad (fake)
  • Stealth Ravens
  • XMR Squad 
  • FancyBear 

Dealing With a Ransom Letter

Companies should be advised not to pay an extortionist and seek professional assistance with mitigating an RDoS attack. Such a threat usually provokes the need for a scrubbing service, ACL/BGP reconfiguration, as well as the usual DDoS protection essentials (listed below) to assure uptime and SLA.

Evaluation – Is It Real or Fake?

Although it is almost impossible to determine whether a ransom note comes from a competent, experienced hacker group or an amateur unit – some units emerged under the guise of notorious hacking crews. While these fake groups send emails nearly identical to real ransom letters, there are several indicators to distinguish between the two:

  1. The fake groups often request a different amount of money.
  2. "Real" groups prove their competence; fake groups exclude the "demo" attack.
  3. These groups do not have official accounts, websites or target lists.
  4. When hackers launch a real ransom attack, they normally target many companies under the same industry. 
  5. Look for suspicious indicators. Is this group known for DDoS attacks?

Organizations Under Attack Should Consider

  • Hybrid DDoS Protection – (on-premise + cloud) for real-time DDoS attack prevention that also addresses high volume attacks and protects from pipe saturation
  • Behavioral – Based Detection – to quickly and accurately indentify and block anomalies while allowing legitimate traffic through 
  • Real-Time Signature Creation – to promptly protect from unknown threats and 0-day attacks
  • A Cyber-Security Emergency Response Plan – that includes a dedicated emergency team of experts who have experience with Internet of Things security and handling IoT outbreaks

For further security measures, Radware urges companies to inspect and patch their network in order to defend against risks and threats.

Under Attack and in Need of Expert Emergency Assistance? Radware Can Help.

Radware offers a service to help respond to security emergencies, neutralize the risk and better safeguard operations before irreparable damages occur. If you’re under DDoS attack or malware outbreak and in need of emergency assistance, Contact us at Radware@virtusindonesia.com.

 

Share to:

Kategori Vendor

Cloud Security
Network Management
Data Center Solutions
Video Intelligent Collaboration
Comprehensive Security
Security Operations Center (SOC)
Next-Gen Endpoint Protection
Edge Network Solutions

Insight

Berita & Artikel
Konten Digital

Perusahaan

Karir

Tentang Kami

Hubungi Kami

Instagram Linkedin Youtube Facebook

Berlanggananlah Berita Kami

Check Our Digital Activities

Virtus Review (VIEW)

 

Aktivitas digital mengenai manfaat produk yang ditawarkan oleh Virtus Technology Indonesia disiarkan di saluran YouTube Virtus.

Virtus Talks

 

Podcast yang membahas tren IT terbaru, juga ditayangkan di saluran YouTube Virtus.

Virtus Highlight

 

Seri reel di Instagram Virtus @virtusid tentang tren dan solusi IT terbaru.

Virtus Life

 

Aktivitas digital yang menampilkan kehidupan karyawan terkait Virtus Technology Indonesia, berdasarkan tren terbaru saat ini.

VIRTUS PARTNER ACADEMY

Program benefit terbaru Virtus untuk Mitra Bisnis. Virtus Partner Academy adalah kursus pelatihan IT online dengan kurikulum lengkap yang dapat diakses kapan saja dan dari mana saja.

Register Now

BELANJA LEBIH, DAPATKAN LEBIH

PROGRAM INSENTIF VIRTUS

untuk Mitra Bisnis

Privacy Policy

PT Virtus Technology Indonesia (“VTI” atau “kami”) sangat berkomitmen untuk memastikan bahwa privasi Anda dilindungi sebagai hal yang sangat penting bagi kami. Pada https://www.virtusindonesia.com/, kami akan mengatur penggunaan Anda terhadap situs web ini, termasuk semua halaman di dalamnya (secara kolektif disebut sebagai “Situs Web ini” di bawah ini), kami ingin berkontribusi untuk menyediakan lingkungan yang aman dan terjamin bagi pengunjung.Berikut adalah ketentuan kebijakan privasi (“Kebijakan Privasi”) antara Anda (“Anda” atau “Anda”) dan VTI. Dengan mengakses situs web ini, Anda mengakui bahwa Anda telah membaca, memahami, dan setuju untuk terikat oleh Kebijakan Privasi ini.
Penggunaan Layanan Langganan oleh VTI dan Pelanggan Kami
Ketika Anda meminta informasi dari VTI dan memberikan informasi yang secara pribadi mengidentifikasi Anda atau memungkinkan kami menghubungi Anda, Anda setuju untuk mengungkapkan informasi tersebut kepada kami. VTI dapat mengungkap informasi tersebut hanya untuk keperluan pemasaran, promosi, dan aktivitas semata-mata untuk kepentingan VTI dan Situs Web.
Pengumpulan Informasi
Anda bebas menjelajahi Situs Web tanpa memberikan informasi pribadi tentang diri Anda. Ketika Anda mengunjungi Situs Web atau mendaftar untuk layanan langganan, kami menyediakan beberapa informasi navigasional agar Anda mengisi informasi pribadi Anda untuk mengakses beberapa konten yang kami tawarkan. VTI dapat mengumpulkan data pribadi Anda seperti nama, alamat email, nama perusahaan, nomor telepon, dan informasi lainnya tentang diri Anda atau bisnis Anda. Kami mengumpulkan data Anda secara online dan offline. VTI mengumpulkan data Anda secara online menggunakan fitur media sosial, pemasaran melalui email, situs web, dan teknologi cookies. Kami mungkin mengumpulkan data Anda offline dalam acara seperti konferensi, pertemuan, lokakarya, dll. Namun, kami tidak akan menggunakan atau mengungkap informasi tersebut kepada pihak ketiga atau mengirim email yang tidak diminta ke alamat yang kami kumpulkan, tanpa izin eksplisit Anda. Kami memastikan bahwa identitas pribadi Anda hanya akan digunakan sesuai dengan Kebijakan Privasi ini.
Cara VTI Menggunakan Informasi yang Dikumpulkan
VTI menggunakan informasi yang dikumpulkan hanya sesuai dengan kebijakan privasi ini. Pelanggan yang berlangganan layanan langganan kami diwajibkan melalui perjanjian dengan mereka untuk mematuhi Kebijakan Privasi ini.
Selain penggunaan informasi Anda, kami dapat menggunakan informasi pribadi Anda untuk:
Meningkatkan pengalaman penjelajahan Anda dengan mempersonalisasi situs web dan meningkatkan layanan langganan.
Mengirim informasi tentang VTI.
Mempromosikan layanan kami kepada Anda dan berbagi konten promosi dan informatif dengan Anda sesuai dengan preferensi komunikasi Anda. Mengirim informasi kepada Anda mengenai perubahan pada ketentuan layanan pelanggan kami, Kebijakan Privasi (termasuk kebijakan cookie), atau perjanjian hukum lainnya.
Teknologi Cookies
Cookies adalah potongan kecil data yang situs web transfer ke hard drive komputer pengguna ketika pengguna mengunjungi situs web. Cookies dapat mencatat preferensi Anda saat mengunjungi situs tertentu dan memberikan keuntungan mengidentifikasi minat pengunjung kami untuk analisis statistik situs kami. Informasi ini dapat memungkinkan kami untuk meningkatkan konten, memodifikasi, dan membuat situs kami lebih ramah pengguna. Cookies digunakan untuk beberapa alasan seperti alasan teknis agar situs web kami beroperasi. Cookies juga memungkinkan kami untuk melacak dan mengarahkan minat pengguna kami untuk meningkatkan pengalaman situs web dan layanan langganan kami. Data ini digunakan untuk memberikan konten dan promosi yang disesuaikan dalam VTI kepada pelanggan yang memiliki minat pada subjek tertentu.Anda memiliki hak untuk memutuskan apakah menerima atau menolak cookies. Anda dapat mengedit preferensi cookies Anda pada pengaturan browser. Jika Anda memilih untuk menolak cookies, Anda masih dapat menggunakan situs web kami meskipun akses Anda ke beberapa fungsi dan area situs web kami mungkin dibatasi.Situs Web ini juga dapat menampilkan iklan dari pihak ketiga yang berisi tautan ke situs web lain yang menarik. Setelah Anda menggunakan tautan ini untuk meninggalkan situs kami, harap dicatat bahwa kami tidak memiliki kendali atas situs tersebut. VTI tidak dapat bertanggung jawab atas perlindungan dan privasi informasi apa pun yang Anda berikan saat mengunjungi situs web tersebut, dan Kebijakan Privasi ini tidak mengatur situs web tersebut.
Kendalikan Data Pribadi Anda
VTI memberikan kontrol kepada Anda untuk mengelola data pribadi Anda. Anda dapat meminta akses, koreksi, pembaruan, atau penghapusan informasi pribadi Anda. Anda dapat berhenti berlangganan dari aktivitas pemasaran kami dengan mengklik berhenti berlangganan dari bagian bawah email kami atau menghubungi kami langsung untuk menghapus Anda dari daftar langganan kami. Kami akan menjaga informasi pribadi Anda agar akurat, dan kami memungkinkan Anda untuk memperbaiki atau mengubah informasi pribadi Anda melalui marketing@virtusindonesia.com.