WP What is Ransom DDoS (RDDoS) | How it Works & Mitigation | Imperva

Ransom DDoS

Edge SecurityDDoSEssentialsThreats

What is Ransom DDoS (RDDoS)?

Ransom Distributed Denial of Service (RDDoS) attacks are DDoS extortion attacks—hackers threaten to perform DDoS attacks if a ransom fee is not paid. The hacker demands payment, generally in the form of cryptocurrency, so that the transaction cannot be traced by law enforcement agents.

Like a regular DDoS attack, RDDoS floods servers or networks with fake requests, which stop legitimate network requests from reaching their destination. This can negatively affect a business’s reputation, disrupt operations, and in some cases cause loss of revenue. Yet, it is recommended not to pay the extortion fee, as there is no guarantee that the attackers will stop the attack, and they may demand larger payments later on.

DDoS extortion/RDDoS attacks are different from ransomware attacks. A ransomware attack occurs when malicious software encrypts files belonging to an organization, and blocks access by data owners until the ransom is settled. An RDDoS attack does not involve penetration of the organization’s network, only disruption of network or application traffic.

Why are Ransom-Related DDoS Attacks Becoming Common?

Here are several reasons why RDDoS is growing as a threat vector.

  • Attacks now require less effort than installing malware—installing malware in the IT infrastructure of an organization requires expert skills. It also takes time to customize and deploy malicious software for the purposes of sabotage or data theft. Comparatively, DDoS attacks are simple to carry out, and botnets can be rented at a low cost.
  • Attackers can easily perform attacks using common web applications—attackers are increasingly taking advantage of devices with built-in network protocols to amplify DDoS attacks. This requires minimal resources. Disabling built-in networking features, such as CoAP, ARMS, and WS-DD is not a solution as it can result in a loss of functionality, productivity, and connectivity.
  • The rise in Bitcoin value makes extortion techniques more valuable to attackers—as Bitcoin prices are rising, RDDoS criminals are revising their demand strategies and initiating massive extortion campaigns.

A Brief History of RDDoS Attacks and Recent Attacks


RDDoS attacks emerged in the late 1990s, when their impact on business functions were minimal (as most of these were still done offline). Organizations were primarily concerned by the influence of RDDoS attacks on customer behavior, as they might choose to switch to a competitor.


In 2014, the seriousness of RDDoS attacks became apparent when the cybercriminal organization DDoS for Bitcoin (DD4BC), carried out large-scale attacks. They first targeted online gambling Bitcoin exchange companies, but then expanded to the entertainment, energy and financial sectors.

A DD4BC attack usually involves small-scale DDoS attacks followed by messages demanding a Bitcoin ransom to prevent larger-scale attacks. Threats and ransoms are escalated against unresponsive victims.


Since late 2015, DD4BC has added threats to expose companies who fail to pay ransoms, so as to hurt their reputations. Over 140 organizations had been targeted by the start of 2016, when European authorities arrested two members of DD4BC.

This tactic appears to have been profitable for DD4BC and has attracted copycat cybercriminals, who may impersonate well-known hacking groups to leverage their notoriety in scaring victims. For example, the Armada Collective claimed to have carried out the RDDoS campaign against various organizations, including Hushmail and ProtonMail, in late 2015. However, ProtonMail suffered continuous attacks even after paying the ransom.


In 2017, RDDos tactics reached a new level of sophistication with use of botnets. These botnets, made up of infected IoT devices, enabled large-scale DDoS attacks. By the end of the year, however, this tactic lost some traction, as it turned out to be less effective, with many attackers failing to implement their threats.

Towards late 2017, the trend shifted to large-scale email campaigns threatening DDoS attacks—most notably by the Phantom Squad, which demanded ransoms of approximately $800 in Bitcoin.


Since early August 2020, sophisticated RDDoS campaign has continuously targeted thousands of organizations globally, in multiple sectors. The FBI issued a warning in late August, alleging that groups such as the Armada Collective, Fancy Bear, Cozy Bear and Lazarus Group may be participating.

Most victims have managed to mitigate these attacks, but some have experienced continuous disruptions to their business operations. For example, the New Zealand Stock Exchange suffered several trading halts in August as its hosting provider, Spark, was targeted repeatedly.  by the threat actors, and this led to network outages for Spark’s other customers as well.

Unlike other threat actors that typically target the public websites of their victims, The cybersecurity provider Akamai has reported that while most threat actors tend to target public websites, this campaign targeted API endpoints, DNS servers and backend infrastructure. The attackers managed to obfuscate their attack behaviors by frequently changing the protocols exploited for RDDoS attacks. This suggests that the cybercriminals responsible for this campaign are highly sophisticated, with access to extensive resources.

How Does a Ransom DDoS Attack Work?

Many DDoS ransom attacks are initiated with a ransom note, which threatens the targeted organization. In certain instances, before a criminal sends out the ransom note, they may orchestrate a small attack to demonstrate their seriousness.

If the threat is real and the attacker decides to continue, the attack may occur as follows:

  1. The criminal, or group of attackers, starts directing attack traffic to the target. They may use their own botnet or a DDoS service they have rented. Attack traffic can target network layers 3 or 4 (network-level DDoS), or layer 7 (application-level DDoS).
  2. Attack traffic overwhelms the targeted service or application, and it either slows down or crashes completely.
  3. The attack keeps going until the resources of the criminal are depleted, the target successfully mitigates the attack, or the criminal stops the attack. Mitigation methods such as IP blocking and rate-limiting are effective only against small-scale denial of service. For large-scale DDoS, organizations typically use cloud-based protection services, which can scale up using cloud resources to withstand very large attacks.
  4. The criminal may orchestrate more attacks, renew their call for payment, or both.

Preventing and Mitigating DDoS Ransom Attacks

If you are at risk of an RDDoS attack, it is not advised to pay the ransom. Therefore, the main focus is on preventing and mitigating attacks as they happen. Here are a few measures commonly used by organizations to mitigate DDoS, and thus neutralize the risk of extortion.

Extending DDoS Mitigation to Additional IPs

DDoS mitigation protects an organization’s servers and network equipment from a DDoS attack, by detecting malicious traffic and diverting it traffic away from the network or server being targeted by the attack. However, attackers can identify IP addresses that are not protected by the organization’s DDoS mitigation service, and target them instead.

To defend against this, organizations can extend DDoS protection to safeguard as many web services, company IP addresses, DNS servers, and internet-facing infrastructure as they can.

Customizing DDoS Mitigation

A new, sophisticated DDoS technique involves attackers dispersing their attacks so that DDoS migration thresholds are not set off. Organizations can protect against this trend by partnering with mitigation providers to customize mitigation thresholds, in order to isolate and stop this behavior.

Working with ISPs

To preempt DDoS attacks, companies work with their Internet service providers (ISPs) to ensure that they can control network traffic over the course of an event. Both Verizon and AT&T have successfully mitigated disruption to network services experienced by their customers. ISPs may also be able to provide some of the forensic information that law enforcement authorities need.

Configuring Firewalls and Routers

Network routers and firewalls can be configured to stop unauthorized IP addresses and block unwanted network traffic. This can help prevent amplification of attacks via the organization’s own network equipment. Organizations must ensure that firewalls, routers, and other network devices have the latest version of software and firmware and apply the most recent security patches.

Imperva DDoS Protection

The best way to prevent ransom DDoS is to have a robust DDoS protection strategy. Imperva provides a DDoS Protection service that blocks attack traffic at the network edge, to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.

Beyond DDoS protection, Imperva provides comprehensive protection for applications, APIs, and microservices:

Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.

Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.

API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.

Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.

Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.