Ransoms, a.k.a. the act of holding someone or something hostage as a way to extort money from those who want their safe return, has been a commonly used tactic throughout human history. For example, the Roman statesman Julius Caesar was once captured by pirates who held him until a large sum of money was paid for his release.
In the digital age, so-called ransomware has been a weapon in the arsenal of would-be extortionists for more than 30 years. However, during that time, strategies have changed somewhat.
Ransomware began with the goal of extorting victims for money in exchange for decryption keys. Put simply, attackers would use malware to encrypt valuable files or data, and would provide the means to decrypt it only in the event that money — typically transferred via difficult-to-trace means such as bitcoin payments — was paid.
While victims of ransomware attacks are frequently unwilling to publicize their willingness to pay, such ransom demands have been successfully used to extort up to seven figures from targets when the encrypted documents are considered sufficiently critical. Especially when the likes of DDoS gets involved.
Attacks evolve
As with any form of cyber attack, ransomware has played out as a game of cat and mouse between those bad actors trying to use the strategy to extort money and those, on the good side, who try to educate users how to resist such attacks.
Notably, as ransomware has gotten more widely publicized, many users have found ways to try and safeguard against these attacks. The simplest way to protect against this kind of ill-gotten revenue-seeking attack is to use backups to create duplicates of documents. This means that a victim of a ransomware attack can quickly restore the status quo by ignoring the encrypted version of a document for an identical (but accessible) copy. While they’ll still want to ensure that the malware is wiped from their machine, this greatly reduces the impact of an attack.
Ransomware attackers don’t take this lying down, though. By evolving ransomware attacks in new, frightening ways they seek to find different ways to “persuade” targets to hand over their money — usually by cranking up the pressure in some manner.
As an increasingly common example, many ransomware attacks do not simply target certain files for encryption, but also find ways to exfiltrate that data. That means that, while the rightful owners may not have access to the information, copies of it are sent to attackers who can then use it to bribe owners. If a ransom is not paid, they could pass it along to business rivals or even freely publish it online: causing anything from embarrassment to, in the case of proprietary business information, a loss of competitive advantage. In some instances, they will even use this to gather customer or partner information and then go on to extort them as well.
DDoS enters the picture
Another type of ransomware persuasion method involves DDoS, a.k.a. Distributed Denial of Service attacks. A DDoS attack explained goes like this: A victim is bombarded with enormous amounts of fraudulent traffic with the express goal of bringing their website or online service to a screeching halt. Like redirecting huge amounts of vehicular traffic down a street not designed to deal with it, at a certain point the traffic quantity is so great that the result is total gridlock, leaving legitimate customers (or, in the vehicular traffic analogy, drivers) unable to reach their desired destination. Ransomware attackers will utilize the twin threat of DDoS to target victims, threatening that the target will be hit by a DDoS attack.
The latest illustration of this form of cyber attack being used comes from the feared HelloKitty ransomware gang, also known as FiveHands. This ransomware operation has been active dating back to November 2020, and claims to have stolen game source code including Gwent, Cyberpunk 2077, Witcher 3, and more. The U.S. Federal Bureau of Investigation (FBI) has been aware of HelloKitty since January 2021. Recently, the FBI issued a flash alert warning to private industry that HelloKitty has been utilizing DDoS attacks as part of their extortion tactics.
Unfortunately, it is unlikely that HelloKitty will remain standouts in this area. When it comes to the priorities of cyber attackers, being original is not one of them: If a tactic is proving successful for one group, it will be purloined by others hoping to use it to make some cheap money. Usage of DDoS attacks is also easier than ever, thanks to the ability to hire a DDoS botnet for as little as a few bucks at a time. This greatly lowers the barrier to entry for this form of attack and makes it more accessible to whoever wants to use it.
Protecting against attacks
Protecting against ransomware and DDoS attacks is essential for any organization today. Fortunately, there are tools to help. Tools such as Web Application Firewalls (WAFs) can help stop bad traffic in its tracks, all while continuing to let properly filtered traffic through so that it can reach its destination. So-called scrubbing centers can also protect against large volumetric attacks by allowing targets to better cope with the high volume of traffic that comes with a DDoS attack.
Ransomware has long been one of the nastiest brands of cyber attack out there. Through the incorporation of additional attacks such as DDoS, it’s only getting worse. Make sure you do your utmost to safeguard against them. It’s the least you can do for yourself and, potentially, your customers.