DDoS ransomware is certainly not a new ploy by the hacking community, but there are several new developments in it. Among them, the use of bitcoin as a payment method should be noted. DD4BC (DDoS for Bitcoin) – a hacker (or a group of hackers) who was found to extort victims from victims using DDoS attacks, demanding payment through bitcoins. DD4BC seems to be focused on the gaming and payment processing industry that uses bitcoin.
In November 2014, reports emerged that the group had sent a note to the Bitalo Bitcoin exchange demanding 1 bitcoin in exchange for helping the site strengthen its protection against DDoS attacks. In the same time, DD4BC conducted a small attack to demonstrate the exchange’s vulnerability to this breach method. However, Bitalo ultimately refused to pay the ransom. Instead, the site has publicly accused the group of blackmail and extortion, and has awarded more than $ 25,000 in reward for identifying the identity of those behind DD4BC.
The parcels have several characteristics in common. During this extortion, the hacker:
Launches an initial DDoS attack (lasting from a few minutes to several hours) to prove that a hacker can hack the victim’s website.
Requires payment via Bitcoin, suggesting that they are in fact helping the site by pointing out their vulnerability to DdoS.
Threatens more dangerous attacks in the future
Threatens higher ransom as attacks progress (pay now or pay more later)
These attacks can lead to the shutdown of unsecured sites. A recent study by Arbor Networks concluded that the vast majority of actual DD4BC attacks were UDP Amplification attacks using vulnerable UDP protocols such as NTP and SSDP. In the spectrum of cyber attacks, a UDP flood over a botnet is a relatively simple direct attack that simply floods the network with unwanted UDP traffic. These attacks are not technically complex and are simplified with rented botnets, downloaders and scripts.
The typical pattern for the DD4BC gang is to launch DDoS attacks targeting Layers 3 and 4, but if that doesn’t have the desired effect they will / may move them to Layer 7 with various types of post / get loopback attacks. The initial attack usually occurs in the 10-20 Gbps range. This is quite large, but often not even close to a real threat.
If a company does not comply with their requests, and if that company does not carry this attack through various DDoS protection services, the group usually moves on to the next phase 24 hours after a prolonged attack. But you shouldn’t count on this pattern when managing your cybersecurity tactics.