Unprecedented Levels of Ransom DDoS Extortion Attacks
The FBI has released a flash warning that thousands of organizations around the world, and across multiple industries, have been threatened with distributed denial-of-service (DDoS) attacks unless they pay a bitcoin ransom. This ransom DDoS, or RDoS, threat was covered by Akamai's Security Intelligence Response Team (SIRT) in a Security Alert released on August 17, 2020.
Akamai's security alert highlights that we have seen an increase in attacks from organizations claiming to be the Armada Collective, Cozy Bear, Fancy Bear, and the Lazarus Group. Customers have reported receiving letters threatening attacks up to 2 Tb/sec. Thus far we have observed attacks ranging from 20 to 300 Gb/sec, and utilizing a variety of attack vectors. Specifically, the FBI has noted that observed attacks use User Datagram Protocol (UDP), Domain Name System (DNS), Web Services Dynamic Discovery (WS-Discovery), Generic Routing Encapsulation (GRE), Network Time Protocol (NTP), and Simple Network Management Protocol (SNMP) to generate attack traffic.
Most recently, Akamai has seen an increasing number of extortion letters being sent to businesses in North America, APAC (Asia-Pacific), and EMEA (Europe, the Middle East, and Africa). While financial services was initially the most threatened vertical, letters have more recently targeted organizations in other industry verticals, including business services, high technology, hospitality, retail, and travel. A recent ZDNet article highlights the breadth of companies targeted as well as impacts to household names across these verticals.
To date, Akamai customers with active Prolexic DDoS mitigation controls have not experienced service disruptions as threatened by these threat actor groups. Akamai has mitigated over 50 attacks fitting this profile in recent weeks and will continue to work with our customers to implement 0-second SLA proactive mitigation controls, which are well matched towards combating the attack patterns we have observed.
If your business is threatened by RDoS, Akamai recommends not making ransom payments as there is no guarantee the attack will arrive or that the payment would prevent the DDoS attack. Instead, pull together your IT, operations, security, and customer communication staff to ensure you are prepared and know what to do in the event of an attack -- and if you require assistance, Akamai is standing by to help.
We offer an emergency security integration for rapid onboarding that can be initiated by using Akamai's DDoS Hotline at +1 877-425-2624. Akamai will immediately take steps to triage the risk, apply the appropriate Akamai security tools, and walk through our attack incident procedures. Akamai has successfully performed emergency onboarding for tens of businesses in the past few days. In these instances, having network prefixes required for GRE Tunnels prepared in advance greatly reduces the time to onboard.
Existing Akamai customers should either reach out to their account team or contact Akamai Support, and managed security services (MSS) customers should follow the existing processes they have established with Akamai's Security Operations Command Center (SOCC). Any customer that has been threatened will immediately be put on a High Alert status which results in the SOCC reviewing the situation and making preparations for an attack. Each customer's case will be tuned to meet the requirements of its business and applications.
It is worth noting that, while most of the threats Akamai has observed to date have been mitigated by our Prolexic DDoS mitigation service, best practices dictate that businesses put in place comprehensive DDoS mitigations at DNS and application layers as well. This includes reviewing your DNS solution and ideally ensuring you have a secondary DNS service in the event of an attack, as well as putting in place rate controls and deny rules in a web application firewall (WAF) to manage volumetric attacks.