Cyber criminals who deal in ransomware typically will capture and encrypt sensitive data and then demand payment from victims to decrypt it. To expedite the transaction, the payment demand comes with the threat of exposing increasing volumes of captured information to the public and raising the ransom amount if the deadline is not met.
But organizations are becoming more resistant to this type of attack. Appreciating that the threat of an expensive ransomware attack is very real, many have taken precautions against it in the form of backing up data on a daily basis and storing it offline or in the cloud. Instead of yielding to a ransom demand, data lost through encryption is simply restored from backups. Operations are back to normal in no time without the need to contact anonymous criminals and trust that they will decrypt data after the ransom is paid.
Upping the Ante
Undeterred, cyber criminals have devised an effective countermeasure… In a new tactic, they are threatening organizations with Denial of Service (DoS) attacks unless they give in to their ransom demands.
The purpose of a DoS attack is to prevent others from accessing the victim’s web servers, web applications, cloud services and other online assets by flooding them with bogus service requests that disrupt the processing of legitimate requests. A more effective variation of this mechanism is the Distributed Denial of Service (DDoS) attack which is launched from multiple sources. This is cheap and easy to do and helps obfuscate the true source of the attack. The attack can be sustained until victims give up and pay.
This scheme usually involves an extortion letter that warns the victim of an impending DDoS attack – small at first, and with no damage, just to prove it can be done – and then escalating, with ever increasing damage, until payment is made. Initial payment demands vary and known amounts have reached $230,000 in Bitcoin. Whatever the amount demanded, it increases for each day the ransom is not paid, during which the victim’s operations grind to a halt while the DDoS attack continues.
The FBI’s recommended preventive measures against this kind of attack include…
- Enroll in a Denial of Service mitigation service that detects abnormal traffic flows and redirects such traffic away from your network.
- Proactively monitor inbound email traffic for ransom demands, which may be indicative of an impending DDoS attack.
- Configure network firewalls to block unauthorized IP addresses and disable port forwarding.
- Check with your local Internet service provider (ISP) to see if they have the ability to control network traffic attacking your network during an event. If so, they may even retain forensic data useful for law enforcement investigations.
- Ensure all network devices, operating systems, and applications are up to date and that the latest security patches are implemented as soon as they become available.
To Pay or Not to Pay
The FBI does not encourage the payment of ransoms. It says this only emboldens cyber criminals to target additional organizations and encourages other criminal actors. Further, paying the ransom does not guarantee the cyber criminal will refrain from attacking a victim’s network anyway.
However, when businesses are faced with an inability to function, the FBI understands that executives must evaluate all options to protect their shareholders, employees, and customers. Regardless of the decision to pay or not to pay, the FBI urges victims to report incidents to their nearest FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking these attackers and holding them accountable under U.S. law.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.