In the past few weeks we witness a wave of DDoS attack that were targeting several prominent online companies; MeetUp, Elance and BaseCamp, to name a few. The common theme for these events was the attackers’ motivations. In all cases offenders were trying to blackmail the websites’ owners, asking for ransom of 300-400 USD to prevent the attack.
The phenomena of blackmail DDoS is anything but new, but now we are seeing it in record-breaking numbers, as more and more business are reaching out to us following such blackmail threats. In words of one of our Sales team members, the number of blackmail related inquiries went from ‘once a week to once or twice every other day’.
From observing these as the whole we notice three common trends:
- Claim that the attack was paid for by a competitor
- Ransom asks ranging from 300 USD to 700 USD
- The attacks are mostly network layer, ranging from 15Gbps to 30Gbps
Combined these provide a clue about the attackers motives, tools and identity.
Blame it on the ‘Competitor’
This is a very common approach tactic, used to alarm the target while also taking some of the heat off the actual offender. The main goal here is to make you believe that your competitors are ‘out to get you’, prompting you to threat the blackmail attempt as a business decision.
In this scenario the attackers try to color the blackmail attempt as an opportunity to respond to an unethical move by a competition – something that can be viewed as more acceptable, thus increasing the chances of payoff.
Of course, all of these claims are obviously false. DDoS can be used for competitive advantage but such occurrences are rare and the attackers – who were specifically hired to take down a site – will not offer any ‘opt-out’ options.
That being said, we did encounter several blackmail emails that offered their recipients the ‘opportunity’ of picking the next target. Obviously none of our clients had any reasons whatsoever to respond to these threats, so we can’t know how this would actually play out.
$300 or Your Site!
The reasons behind these suspiciously low ransom asks were speculated upon by Scott Heiferman (Co-Founder and CEO of MeetUp.com) who suggested that the attackers’ were lowballing the company before demanding larger sums of money down-the-road.
This is a fair assessment, compatible with the modus of operandi of real-world extortionists. However, in case of ransom DDoS, one must also consider the economics behind the attack.
As noted, most of these attacks were mid-sized network DDoS events, ranging from 15Gbps to 30Gbps in their attack volumes. While such attacks may seem sophisticated – and while they can be absolutely devastating to an un-protected websites – their cost of execution are surprisingly low.
Fact is that today virtually everyone can carry out such DDoS attacks by signing to any one of ‘DDoS for Hire” services. Such services (aka. booters or stressers) provide their clientele with access to clusters of compromised machines, which can be activated to carry outDDoS attacks against any target.
60Gbps DDoS attacks. Packages starting from 3.99$…
Finding such service is as easy as Googling for ‘booter’ or finding the right conversions in the right forum. Once found, the services’ user friendly GUI, helps eliminate all learning curves or requirement for prior technological knowledge. Most importantly, the price of these booters is only few dozen dollars a month.
For example, one such service offers the option of carrying out an unlimited number of hour-long DDoS attacks for a fee of 40 USD a month. From the attacker’s prospective this offers a very good return on investment, with just one successful blackmail attempt offering almost 1000% of net profit.
Another thing to consider is the cost of target’s alternatives.
In last few years cloud-based solutions significantly lowered the cost of DDoS protection. The current price of DDoS protection, which starts at few hundred dollars a month, puts a cap on the blackmailers’ demands. After all, why would any business owner to pay several thousands in ransom when, for the same price, he can protect himself from this and any future DDoS threats.
Criminal Masterminds or Kids with Nukes?
So who would go through the risk of DDoSing a service for 300 or 400 USD? Are they criminal masterminds trying to lay down long-term extortion schemes or are they just opportunists, trying to make a quick buck?
Based on the facts of these cases, and on our previous experience, the latter answer is the more likely one. The ‘copy pasted’ emails, the booter-sized attack volumes and the lackluster ransom demands all point in the same directions, exposing a growing phenomenon of the widely available DDoS ‘nukes’ that are now being used by non-professional hackers.