The new cyber-security frontier: blackmail and ransom, with the threat of DDoS
By Alex Winterflood, Solutions Architect, MTI Technology - 23 December 2015
Headlines this past year have depicted a typical breach scenario where attackers extract business information, for fraud or sale to the highest bidder. The usual pattern involves the use of a DDoS smokescreen to take a company’s systems offline or to distract them, while an underlying attack is deployed to extract crucial data under the radar.
In the latter stages of 2015, we’ve witnessed the emerging threat of cyber criminals sending blackmail emails to companies, threatening DDoS attacks unless they receive a sum of money. ProtonMail was recently on the receiving end of this type of attack. The email service provider received an email with demands; followed by a small DDoS attack, showing just how serious the cyber criminals were about following through with a large-scale attack.
What is the right way of dealing with such threats?
In situations such as this, the organisation under blackmail is between a rock and a hard place. They can either keep their resources online by paying the sum requested, or refuse, and fall victim to the attack, which can affect their entire IT infrastructure, incurring significant operating losses. Furthermore, there is no guarantee the attackers will not come back with more demands, after the money has been paid – it has, after all, been commercially successful once already.
Reinforcing DDoS defences is vital but this will take time and in the interim, allowing your site to go down will cost significantly more than the cost of giving in to the blackmailers. Any decision on how to deal with the cyber criminals needs to be commercially driven.
Once the situation has resolved itself, one way or the other, a full audit is necessary to assess the real impact of the attack. This is a more immediate need than trying to find and bring the attackers to justice, which is often the first port of call for aggrieved companies. There is a danger that the attacker used the blackmail and DDoS threat as a primary attack, while planting malware in the company’s system to extract data over a longer period of time.
How did the ProtonMail attack unfold?
After an initial email detailing the demands and an example of their capabilities, the cybercriminals attacked ProtonMail again the following morning. Once the attackers realised that they would not be receiving payment any at that stage, they increased the strength and sophistication of the attacks.
As a result, the company’s upstream providers and data centre went down, effecting not only ProtonMail, but hundreds of other companies. The involvement of third parties forced ProtonMail, who were originally against paying anything, to succumb to demands and cough-up the requested crypto-currency bitcoin.
In the aftermath of the attack, the different stages and targets became clear; a volumetric attack was the first stage that targeted ProtonMail’s IP addresses. The second stage was more complex and targeted weak points in the infrastructure of the company’s Internet service providers. A suggestion was that due to the sophistication and strength of the second attack, state-sponsored groups might have been responsible.