2020 DDoS Extortion Campaign—A Sequel More Thrilling Than the Original

Co-written by: Tom Emmons

As the go-to enterprise distributed denial-of-service (DDoS) mitigation experts, our phones have been "ringing off the hook" since the release of the global extortion DDoS campaign sequel. This latest installment of the cybersecurity saga is bigger, badder, and features a broader cast of criminal characters than seen previously with last year's extortion-related activity.

We've seen a ton of new and expanded customer activity directly resulting from this campaign as organizations suddenly needed additional defensive controls for internet-facing assets, pronto. The number of impacted customers changes almost daily, with enterprises across all verticals targeted by threat actors:

• New Prolexic Data Center DDoS Protection Customers: 30+

• Existing Prolexic Customer Upgrades: 10+

In fact, we've done more than 30 emergency turn-ups -- three for stock exchanges alone.  

The following scripts are true, but the names have been changed to protect the identity of the organizations affected. Let's take a closer look behind the scenes. Action!

Scene 1: when threat actors play villain

Like many businesses impacted by the COVID-related downturn, We'll Be Fine Inc. experienced significant downsizing. To cut costs, the company did not renew the Prolexic portion of its security services contract since it had never experienced a DDoS attack. 

By the middle of August, that was no longer the case: An executive received the DDoS extortion email. A short time later, We'll Be Fine Inc. was hit by a DDoS attack that had a significant impact on its infrastructure. While its WAF solution deflected malicious traffic targeted at web-facing properties, the attackers homed in on the company's data centers and launched a DDoS attack across all ports and protocols. Immediately, the customer contacted Akamai, and by the next morning its integration requirements had been documented by the Prolexic specialist team.

That same day, the organization received another email from the attackers stating it would get hit again if extortion demands weren't met. Because the impending threat was considered real and it was believed that the attackers would follow through, We'll Be Fine Inc. deployed Prolexic always-on emergency turn-up services to protect its internet-facing infrastructure before the next extortion deadline. While the customer did see some unusual spikes in traffic, the attackers didn't attempt the follow-up attack as threatened, most likely because Prolexic defenses were already in place.

Our Cutaway

Threat actors from the DDoS extortion campaign continue to pivot across industry verticals and attack organizations previously considered "low-risk" targets for DDoS. It only takes one DDoS attack for you to know you need mitigation controls in place. DDoS mitigation solutions should be viewed as an insurance policy to help keep internet-facing assets protected and threat actors deterred. And as we've seen in other Prolexic emergency turn-up situations, once controls were in place, the attackers rarely followed through on their threats.

Scene 2: bringing the big guns

As a result of the DDoS extortion campaign, Need Help Now LLC was hit with sustained DDoS attacks for more than a week, impacting customer-facing services and availability. The organization's existing DDoS protections were not powerful enough to mitigate the severe attacks. When the company searched for additional defenses, it was told that new services would take 10 days to be operational -- a risk the company was not willing to take.  

Upon receiving an industry referral, Need Help Now LLC immediately contacted Akamai to procure emergency integration of its Prolexic DDoS mitigation platform. Within a matter of hours, the company was onboarded to the Prolexic platform, and the threat actors were no longer able to disrupt mission-critical, internet-facing infrastructure.

Our Cutaway

Akamai's purpose-built Prolexic DDoS mitigation solution has the right platform, people, and processes in place to keep internet-facing assets protected in times of customer crisis. Unlike other providers, we provide a fully managed solution that enables our Security Operations Command Center (SOCC) to act as an extension of a customer's incident response team. Our white-glove service (even during emergency integrations) combined with DDoS mitigation expertise provide plenty of protection and peace of mind.

Scene 3: Time’s almost up

When Time Is Money Industries received the DDoS extortion letter warning of an impending attack, it realized it might be in trouble. A few hours later, the threat actors targeted and took down its Domain Name System (DNS) infrastructure and saturated its internet routers with a DDoS attack.With data centers taken offline by the initial "show of force" attack, the company knew it needed to act quickly to procure DDoS defenses when a second email arrived from the extortionists demanding bitcoin payment.

Before the organization approached Akamai, it had been considering another solution and the decision came down to the level of support provided and the time to implement DDoS protection. On the initial emergency turn-up discussion call, Akamai provided a level of service and technical expertise that gave Time Is Money Industries the confidence that Prolexic was the right platform to deliver the quality of mitigation it needed to quickly defend against an impending attack. Within a matter of hours, the company was under Prolexic DDoS defense. Just in time to save the day.

Our Cutaway

Comprehensive protection requires a holistic approach to protecting DNS, web properties, and internet-facing assets from DDoS attacks. With this extortion campaign, attackers are doing their homework and researching customer environments to determine what is and isn't protected. Deploying Prolexic protection across all ports and protocols complements WAF (App & API Protector) and DNS defense (Edge DNS) to help provide DDoS defense in depth for customers. 

While many extortion campaigns remain active until arrests are announced, organizations can fight back by having an experienced DDoS mitigation partner in place. Check out our DDoS Extortion Battle Plan for proactive tips on how to improve your defensive posture. 

To keep today's business-critical assets up and running, enterprises -- both large and small -- need access to high-quality mitigation controls, platform scale, and the expertise to stop DDoS attack campaigns in their tracks. If you are currently under attack or threat of extortion, reach out to the Akamai DDoS hotline, 1-877-425-2624, for immediate assistance.

Roll credits

While the attacks were frequent, large, and persistent, we are seeing less and less activity as the threat actors shy away from customers routed over Akamai networks. This is almost certainly due to our success in proactive mitigation controls, having mitigated over 90% of the threats through our 0-second service-level agreement (SLA).