Estimated reading time: 6 minutes
Is the threat of a large-scale DDoS attack enough to convince organizations to bow to a ransomware attack?
It might be a good time for companies to invest in DDoS protection , as hackers have begun to use the threat of large-scale DDoS attacks to carry out ransomware attacks on organizations .
According to a new blog post from Cloudflare, a major company, in the Fortune Global 500, was the target of a DDoS ransomware attack ( RDDoS ) in late 2020. The attacking group claimed to be Lazarus Group , North Korea’s largest and most active hacking division .
This extortion attempt was part of a larger trend of ransom campaigns that has been developing throughout the past year . Cybercriminals will likely continue to use similar methods, as they have been quite successful.
What is a DDoS Ransomware?
Unlike a ransomware attack in which cybercriminals enter a company’s network in order to block their files, RDDoS attacks use the threat to obscure the Dell website. ‘company with traffic overload and this can be crippling for business.
Just as an organization can use cloud backup and other similar services to protect its data from being blocked following a ransomware attack, DDoS protection ensures that a company’s website remains secure if it is suddenly flooded with traffic overload.
What is a DDoS attack?
Before continuing and to better understand what we are talking about.
DDoS is an acronics which means Distributed Denial of Service . Attacks of this type target websites and online services. The goal is to flood the site with more traffic than the server or network can accommodate . The purpose is to make the website or service unusable.
Traffic can consist of inbound messages, connection requests or fake packets. In some cases, victims are threatened with a DDoS attack or attacked at a low level . This attack can be combined with an extortion threat than a more devastating attack unless the company pays a ransom in cryptocurrency . In 2015 and 2016, a criminal group called the Armada Collective repeatedly extorted money from banks, web host providers and other companies using this method.
How Do DDoS Attacks Work?
The theory behind a DDoS attack is simple: flood a server with requests so that it reaches the limit that available resources allow. If the attack is successful, your server, service, website or network is rendered inoperable.
The primary way a DDoS is accomplished is through a network of remotely controlled, hacked or bot computers . These are often called “zombie computers”, we have also seen them in the techniques of Zombie Phishing . These zombies , organized in networks called botnets , are used to flood websites, servers and networks with more data than they can accommodate.
Botnets can send more connection requests than a server can handle or send huge amounts of data that exceed the bandwidth capabilities of the targeted victim. Botnets can range from thousands to millions of computers controlled by cybercriminals. Your computer could be part of a botnet without you knowing.
What are the symptoms of an attack?
DDoS attacks have distinctive symptoms . The problem is that the symptoms are so similar to other problems you may have with your computer that it can be difficult to understand without a professional diagnosis. Symptoms of a DDoS include:
- – Slow file access, both locally and remotely
- – Inability to access a particular website
- – Logout from the Internet
- – Problems accessing all websites
- – Excessive amount of email spam
Most of these symptoms can be difficult to label as unusual . However, if two or more occur over long periods of time, you could be the victim of a DDoS and check them out.
Phenomenology of a DDoS Ransomware Attack
A DDoS ransomware attack is like pointing a gun at someone and asking them for their wallet. It is not known if the gun is real (or loaded), but to avoid an unpleasant misunderstanding, the money is handed over.
In these attacks, in fact, the hackers threaten to carry out the attack, but have not yet performed any. In some cases they launch a minor attack as a demonstration action.
The attack covered in the Cloudflare article started like many other attacks, with ransom emails sent to employees of the organization. These emails contained a note that read:
Please do a Google search of “Lazarus Group” to take a look at some of our previous work. Also, search for “NZX” or “New Zealand Stock Exchange” in the news. You don’t want to be like them, do you?
The current price is 20 Bitcoin (BTC). It’s a small price to pay for what will happen if your entire network goes down. Is it worth it? You decide!…
If you decide not to pay, we will start the attack on the indicated date and will keep it until you do. We will completely destroy your reputation and make sure that your services remain offline until you pay… “.
The attackers then began sending a large amount of traffic to one of the company’s global data centers , firing gigabits of data per second to a single server. This led to a DDoS event and generated a series of unpleasant inconveniences.
Next, the criminals launched an attack at the end of a working day that was difficult to mitigate due to the fact that the organization was still using services to mitigate previous attacks.
Mitigating DDoS attacks can be quite difficult when an attack is already underway, which is why companies should consider using dedicated and proactive DDoS protection .
We will likely see an increase in similar attacks this year , so now is the time to take the necessary precautions or risk having the company’s website taken down or worse, having to pay a ransom in order to continue with the services offered.
The SOD proposal for companies
Due to the possibility that these DDoS Ransomware attacks become more and more frequent, we think we are a good time to evaluate one of our services in this regard.
CDN against DDoS ransomware attacks
One way to mitigate attacks is by using CDN ( Content Delivery Network ) services such as Cloudflare . These services distribute a static copy of the site on their servers around the world. When the site is requested by a client, the request is processed by the closest CDN server, reducing the loading time.
The use of this type of service filters access to the company site by distributing traffic to other servers that keep a copy of the site.
In this way, not only is the site loaded via the CDN server closest to the user, reducing the loading time, but the traffic is distributed territorially and what actually reaches the server is a fraction of the real one .
For our customers who use different services, it is necessary to design an ad-hoc solution. Contact us to find out more.
There have been critical cases of ransomware of note lately. Tor Vergata University suffered an attack that knocked out about a hundred computers. Access to the systems by teachers and students has been blocked. The attack affected a number of documents related to COVID-19 research that were encrypted and then made inaccessible. In addition, two other noteworthy cases shook hospitals in September. The first took place in Germany, in Düsseldorf, where a woman lost her life following an attack that also blocked the machinery that kept her alive. The second happened in the USA and involved UHS (Universal Health Services). In that case, patient care was kept secure, but the IT applications were out of order.
For the uninitiated, ransomware-type attacks happen this way: attackers take possession of the data on a computer and remove or encrypt it. They ultimately render them unusable and require the victim to pay a ransom to free up the data again.
The costs of an attack
According to the Cost of a Data Breach report, a critical ransomware attack can cost an average of $ 4.44M. It is an impressive figure that should make us reflect on the value of data managed by companies and on their protection.
Let’s see in detail some attacks and what consequences they had.
A fatal ransomware
For the first time, a woman dies after a cyber attack on a hospital. On September 9, 2020, a critical ransomware attack, launched at a hospital in Düsseldorf, caused the vital systems to which the patient was connected to no longer function properly. The victim had to be transferred to another hospital as quickly as possible. For more than 30 kilometers, the paramedics fought for the victim’s life, but ultimately without success. Many questions remain pending regarding this case, first of all why the machines that kept the woman alive were connected to a hackable network. The investigations continue, however, showing how the network must be protected for the physical safety of users, to avoid tragic consequences.
An attack on research
The access of students and teachers was blocked at the University of Tor Vergata with a critical ransomware attack that made documents concerning the research on COVID-19 inaccessible. The attackers managed to break into systems within hours and encrypt files on hard drives. A month later, no ransom had yet been requested.
Such an attack could slow down the search, hampering the process. Even if no ransom was required, the damage would still be tangible.
Attack on UHS
Fortunately, it finished better than the attack in Düsseldorf, another episode hit areas close to health. Facilities using Universal Health Services (UHS) systems have seen access to the system freeze due to an attack. Fortunately, there were no casualties and patient care was guaranteed all the time, as stated by UHS itself.
Other critical ransomware attacks
Critical ransomware attacks happen all the time and can have non-immediate implications. For example, Fragomen, a New York law firm, suffered an attack and a consequent data breach involving the personal data of some Google employees.
Another attack hit Enel, which was asked for a ransom of € 14M in bitcoin. The attack refers to the download of private data, contacts, databases, financial and customer documents for a total of 4.5 TB. Enel did not provide any press release regarding the attack.
Run for cover
Unfortunately, ransomware attacks are among the most subtle and annoying, because they also leverage a psychological factor of the victim who sees a way out (payment) and tries to cover what happened in order not to lose reputation.Unfortunately, following a successful attack, the data is still breached and security has proved ineffective.
So how do you make sure these attacks are neutralized? Adequate security measures must be implemented to prevent attacks as much as possible and provide a quick response in critical situations.
Services such as those offered in partnership with Acronis and SOD’s SOCaaS are essential tools for defending your data and corporate network. The first proposed service secures data through backups and monitors file changes. As soon as an encryption attempt is detected, the data is locked and secured to avoid the worst. In the unfortunate event that the attack is successful, backups reduce the severity of the consequences and prevent actual data loss.
SOC as a Service is an all-round solution that monitors all the IT infrastructure referred to. The defense is not specific to a type of attack, but instead focuses on detecting anomalies, even in user behavior, which can indicate ongoing attacks of all kinds.
Finally, to verify that your system is protected, it is possible to request preventive services such as Vulnerability Assessment and Penetration Test. These test the infrastructures with controlled attacks in order to stimulate the security response and identify the areas that need to be reinforced. We recommend implementing this type of service regularly throughout the year as a preventative measure.
If you have any questions about the services or want to talk to us about your situation to request an intervention, do not hesitate to contact us, we will be happy to answer your questions.
Acronis Active Protection is an advanced anti-ransomware technology. It actively protects all the data on your systems: documents, data of all kinds and Acronis backup files. It is a technology available for Windows and Mac OS X operating systems and protects against the latest ransomware actions such as Petya, WannaCry, Locky and Osiris.
What is Ransomware?
Ransomware is a particularly painful type of malware. Malware is “hostile or intrusive software” illegally introduced into your system for malicious reasons. When ransomware infects the system, it blocks access to data. Whoever introduced the malware will then make a cash request to unlock the data. In short, the mechanism is that of redemption.
To defend against this type of attack, it is necessary to constantly monitor the activities that take place in the system.
Find the patterns
Acronis Active Protection constantly observes the patterns in how files and data are changed. A set of behaviors can be typical and expected. Another may report a suspicious process that aims to initiate hostile actions against the data.
Acronis’ approach is as follows: examine these actions and compare them with patterns of malicious behavior. This approach can be exceptionally powerful in identifying ransomware attacks, even from variants that have not yet been reported. The latest version of Acronis Active Protection adds additional behavioral patterns to improve ransomware detection.
Acronis has invested heavily in a new dedicated machine learning infrastructure used for telemetry and data processing. The first step in the process is a stack trace analysis. It is possible to detect malicious code by using the stack trace analysis of a process based on the machine learning approach.
The data to be studied and analyzed are the stack trace dumps / frames which are sent as input to the Acronis Machine Learning module. The output of the analysis will be the verdict: clean or infected data. This approach takes active protection to a new level, especially when it comes to threats never used before (called Zero Day).
The system does not require signatures of any kind, but rather creates a model of what is acceptable and what is not. In this way, when hackers will find a new vulnerability or a new approach to infiltrate the system, they will hardly be able to pass this behavior check made thanks to the models applied by Acronis.
Defense against advanced threats
Acronis Active Protection can detect very sophisticated ransomware threats that usually appear as legitimate operations. The detection of attacks takes place thanks to the application of advanced heuristics and machine learning, but not only.
In fact, special mathematical approaches are also adopted to calculate the entropy of the files, in order to understand if the file has been modified even if the header remains the same. Many anti-ransomware solutions, on the other hand, only act based on file headers.
One way that criminals could choose to compromise files would be to attack the backup software itself to corrupt the backup files it creates. To protect against this, Acronis has implemented a robust self-defense mechanism that will not allow criminals to interrupt the work of the Acronis application or the contents of the backup files. In addition, Acronis Active Protection checks the Master Boot Record of Windows-based computers. Hence, it will not allow illegitimate changes to be made to prevent the computer from starting.
How it intervenes
If the ransomware attack starts encrypting files, Acronis quickly detects and stops this process. Since Acronis is a backup solution, any data that was exposed and encrypted before the process was stopped can be recovered from a variety of sources. This is remarkable, considering that not only can anti-ransomware solutions commonly fail to terminate an attack once it has begun, they also have no way of recovering files encrypted by the attack.
Acronis Active Protection detects and deflects attacks and restores files of any size.
The methodologies detect and deflect attacks and advanced file recovery. These protection approaches are not only leading the way against criminals, but they are more innovative and advanced than any other anti-ransomware methodology available.
The Acronis solution is able to identify:
– Hackers trying to infect or compromise local or cloud backups
– Reduced attacks and usually more difficult to detect (for example, changing only a small portion of a document or a photo stored deep in the hard disk)
– Attackers who come up with creative new ways to attempt maliciously manipulating files
The application of artificial intelligence in the field of cyber security has made giant strides in defense possible and is making life extremely complicated for hackers. The search for innovative solutions is now oriented towards the implementation of machine learning to try to capture malicious behavior rather than the attacks themselves. Acronis Active Protection does this and does it effectively, offering complete and efficient protection from ransomware attacks.
The threats do not end once the security of your systems and perimeter has been verified, you must adopt constant defense and verification solutions to ensure your data in the best possible way.
Estimated reading time: 7 minutes Il vishing è una particolare tipologia di phishing che sfrutta la tecnologia Vo… https://t.co/q9OO03jSHj
Estimated reading time: 5 minutes Come abbiamo già affrontato precedentemente negli scorsi articoli, i ransomware… https://t.co/O8xUUJocYc
Estimated reading time: 6 minutes Il Database Activity Monitoring (DAM) è una tecnologia applicata alla sicurezza… https://t.co/juh8ZBKMqP
Estimated reading time: 6 minutes I continui progressi in ambito di automazione della sicurezza informatica hanno… https://t.co/mPc4yUpVf8
Estimated reading time: 5 minutes Nell’articolo precedente abbiamo visto i più comuni casi d’uso di un SOCaaS, sp… https://t.co/MvxAKo6Zey