Ransomware Groups Add a Third Threat Vector: DDoS

Malicious parties try to extort money from a person or entity by threatening them with a distributed denial-of-service (DDoS) attack or a ransom DDoS (RDDoS) attack. According to cybersecurity experts, a DDoS attack may be carried out by the malicious group in question and then backed up by a ransom note requesting payment to stop the attack, or they may give the ransom note first threatening a DDoS attack. The intruder will not be able to attack the second example, but it is not prudent to presume they are making a hollow threat.


An efficient DDoS mitigation service is the best defense against DDoS ransom attacks. Paying the ransom to the person or organization making the demands is never a smart option.


Blog Contents

  • What is a DDoS Attack?
  • How Does a Ransom DDoS Attack Work?
  • What Goes Into a Typical DDoS Ransom Note?
  • If You’re a Victim, What to Do?
  • Effective Protection
  • Conclusion


Let’s have a look at what these attacks are and how they are disrupting the environment.


What is a DDoS Attack?

A DDoS attack attempts to exhaust a program, website, or network infrastructure so that legitimate users are unable to receive service. DDoS attacks give their targets a torrent of garbage network traffic, just like a traffic jam clogging up a highway. DDoS attacks are “distributed,” meaning that they send traffic from various sources, making them harder to block than a single source denial-of-service (DoS ) attack. DDoS attackers use a variety of diverse networking protocols. DDoS attacks may have a significant influence on the activities of an organization. 


How Does a Ransom DDoS Attack Work?

A ransom note sent to the target in which the attacker threatens the enterprise or entity starts with most DDoS ransom attacks. The attack is carried out as follows if the threat is real and the perpetrator chooses to go through with it:


  1. The attacker starts sending attack traffic to the goal. They may be using their botnet or a DDoS provider they have employed to carry out the attack. Using DDoS devices, multiple individuals working together may also create attack traffic. In the OSI model, attack traffic will target layers 3, 4, or 7.


  1. The attack traffic overwhelms the intended program or service, and it either slows down to a crawl or crashes entirely.


  1. The attack continues until the attacker’s resources are depleted, the attack is shut down for some other reason, or the target is capable of minimizing the attack. Rate restricting, IP blocking, blackhole routing, or a DDoS security service are prevention techniques; the first three are difficult to enforce against widely dispersed attacks.


  1. The attacker may renew their payment requests, execute subsequent assaults, or both.


What Goes Into a Typical DDoS Ransom Note?

A DDoS ransom note is a letter sent to an organization by a malicious party requesting money; the malicious party will carry out a DDoS attack. The intruder will also send several messages, with each message revealing more information about their threats or requests.



The threat


The threat contained in a DDoS ransom note can take a few different forms like:

  • For a previous DDoS attack, the malicious group will take credit and threaten another one.
  • They will claim credit for a DDoS attack currently underway against the target.
  • Either at a particular time or at a new time, they can risk a potential DDoS attack.



  • Details of the threatened attack


The intruder may pretend to be capable of carrying out a DDoS attack of a particular scale and length to make the threat seem more dangerous. Such arguments are not inherently true: just because a person claims to be capable of a 24-hour 3 Gbps attack does not suggest that they really have the ability to follow through with it.



  • Group affiliation


The attacker can claim association with well-known’ hacker’ groups such as Fancy Bear, Cozy Bear, the Lazarus Party, the Armada Collective, or others to add authenticity to their attacks. Such arguments may be valid, but they are hard to prove.



  • Demand for payment and instructions for delivering the payment


In any way, the ransom note would claim payment. Bitcoin payment is a typical offer, but the attacker may also ask for a ransom in another cryptocurrency or in a currency approved by the state. 



  • Deadline or time cap


Finally, the ransom note can contain a hard deadline for delivering the ransom before the threatened attack ceases, or in time for the current attack to stop, to lend their demand urgency and raise the chance that the affected party will obey.


If You’re a Victim, What to Do?


The menace is real. The attacks have ranged from a few gigabits per second to hundreds of gigabits per second, often as much as 300 Gbps, depending on the scale and reach of the victimized entity. While not as serious as the expected 2 Tbps attacks, for many organizations, the ones carried out still proved devastating.


Radware advises targeted organizations, at least not if they have sufficient DDoS security, not to pay the ransom. To help shore up your defenses so that any follow-up attacks do not disrupt your business, organizations that lack the appropriate security should find a trustworthy partner or vendor.


Effective Protection


Radware includes a few tips about how to protect the business from DDoS attacks.


  • Hybrid DDoS protection. On-premise and cloud DDoS security also addresses high volume threats and defends against stream saturation for real-time DDoS threat avoidance.


  • Behavioral-based detection. This detector will recognize and block irregularities easily and reliably while letting lawful traffic in.


  • Signature formation in real-time. This will defend you from unidentified threats and zero-day attacks promptly.


  • Emergency action strategy for cybersecurity. Such a strategy includes providing a dedicated rescue team of specialists who are able to manage IoT outbreaks and have expertise with the Internet of Things security.


  • Intelligence on active threat actors. This offers preemptive defense against potentially active identified attackers with high precision, correlated, and evaluated data.




Cybercriminals operating with ransomware would traditionally catch and encrypt confidential data and then claim money to decrypt it. It is essential to be equipped with all safety measures to avoid falling trap in these attacks. Elevate your career today by becoming a cybersecurity professional, enroll in a cybersecurity professional training.