Ransomware & Ransom DoS, Why They Are Similar But Different
Since 2020, ransomware and ransom denial-of-service (RDoS) have become ubiquitous with ransomware attacks grabbing headlines nearly every week. While ransomware and ransom DoS have a common objective and some of their tactics overlap, their techniques and success rate are quite different, and so is the threat and potential impact for organizations. Over time, as both threats evolved, they have been cross-leveraging reputation and techniques.
Ransomware attacks leverage a crypto-locking malware that destroys systems and makes data inaccessible. Crypto-locking malware needs to be deployed on servers inside the organization. Attackers need to breach the network or a device inside the network and then move laterally across the organization to impact as many systems and lock as much data as possible. Initial access is typically provided by Initial Access Brokers, the middlemen who use their own methods to breach and gain a foothold in networks and then sell that access to other threat actors, mostly ransomware gangs or their affiliates.
Ransomware attacks render systems inoperable and data inaccessible. In many cases, sensitive data is extracted with a potential risk of data leaks.
RDoS attackers leverage denial-of-service attacks to extort their victims. By disrupting online services, they can impact the business, productivity and reputation of an organization. Attackers target online resources such as websites, domain name services, web APIs, gaming lobbies, etc. to render online services inoperable and impact an organization’s reputation. They can also impact the productivity of organizations by targeting voice, email and remote access in branch offices or from remote workers. Other targets include internet connectivity required to access cloud applications, production plants that depend on connectivity for remote operations and the cloud for logistic data exchange with resource planning applications and external organizations.
It is important to note, unlike Ransomware attacks, RDoS and DDoS attacks in general do not breach networks or systems. No data is stolen or compromised during the attacks.
An RDoS attack starts with the attacker sending a private message, for example by email using a privacy-minded email provider, asking for payment of a certain ransom amount to prevent an organization becoming the target of their next attack. If an organization decides not pay within a set deadline, the attackers will start a DDoS attack and continue until the ransom is paid. Typically, the ransom demand increases every day the victim refuses to pay.
In reality, DDoS attacks tend to disappear as soon as the actor finds their attempts being successfully mitigated. They last for several hours, change vectors trying to evade the detection and mitigation systems, might spur up again several days after failed attempts, but ultimately the extortionists are forced to walk away empty-handed.
|(stats for 2021, all currency in USD)||Ransomware||Ransom DoS|
|Objective||Financial gain||Financial gain|
|Primary Technique||Crypto locking||DDoS|
|Impact||Permanent (until recovered)||Transient (while attack lasts)|
|Average ransom demand||$5.3 million average ||$5,000 up to $1 million |
|Average ransom payment||$570,000||~ $0.0|
|Largest payout||$40 million ||$6,000 in 2015 |
|Success rate||70% ||Very low|
|Estimated Damage cost||$1.85 million average ||$9 to 12$ million |
|Defense||Defense-in-depth, segmentation to limit impact, but no silver bullet||Adequate DDoS protection service|
Ransomware Tripple Extortion
Techniques leveraged by Ransomware operators have evolved and diversified to increase the potential to reach their objective. As victims got better prepared and backups readily available to restore and recover from crypto-locking malware, Ransomware operators started exfiltrating sensitive data that would give them more leverage over the victim. If the victim still was not impressed, operators started threatening with DDoS attacks and pressured their victims into coming back to the negotiation table.
Ransom DoS actors posing as Ransomware gangs
The success, impact and drama surrounding highly visible ransomware gangs has not escaped the attention of other criminals. In one of the recent RDoS campaigns targeting VoIP providers in UK and Canada, actors posed as ‘REvil,’ an infamous ransomware gang responsible for the devastating attacks on JBS SA and Kaseya Ltd. Similar to ransomware operators announcing new victims on underground blogs, the RDoS actors posing as ‘REvil’ shared their ransom letter through Pastebin and extorted one of their victims, Voip.ms, in public on Twitter, aiming to increase the pressure on the victim.
Defending against Ransomware and Ransom DoS
Speaking from personal experience, I have yet to see a DDoS attack that blasts through our defenses. That said, there is always a small window of time where bad traffic can potentially leak while detection algorithms are crafting automated signatures to block bad traffic and tune the signatures to avoid false positives that would block legitimate traffic. But in general, there is, in my experience, no reason to pay the ransom when protected by an adequate DDoS service.
Ransomware, on the other hand, is a very hard threat to defend against and eliminate. Ransomware operators have been organizing their underground ecosystems and gathered a lot of following from skilled hackers-for-hire and affiliates that are happy to share the profits from large extortion campaigns. The incentive has become too big, and the demand for hacking skills and resources on the underground has been growing ever since ransomware operators have had successful campaigns. With highly motivated threat actors looking for payments from organized cybercrime groups, attacks have shifted from automated to human operated attacks. It is one thing to defend against automation, but far more difficult to defend against human intelligence and perseverance driven by multi-million-dollar payouts.
Footnotes and References
- Ransom demands fluctuate, campaigns in 2020 were found to ask as much as 20BTC while more recent campaigns by an actor posing as ‘The Cursed Partriarch’ settled for as little 0.06 BTC
- Study: 70 Percent of Businesses Hit with Ransomware Paid the Ransom | Healthcare Innovation (hcinnovationgroup.com)
- Bandwidth.com expects to lose up to $12M following DDoS extortion attempt – The Record by Recorded Future