According to insight from Radware’s Emergency Response Team (ERT) the number of DDoS for Ransom attempts worldwide grew significantly during the last week. But most worrying, the ERT has discovered that many of the letters used to request the ransom are fake, yet companies are falling for the scam. 

Radware is warning the financial sector to take caution when assessing the legitimacy of a threat, and to consider seeking expert advice to help decipher the threat level to their business.  

Daniel Smith, one of Radware’s leading researchers and a former hacker, explains: “Distributed Denial of Service (DDoS) for Ransom attacks work by running a ‘sample’ attack on a company network while at the same time sending a note asking for payment, usually in bitcoin, by a certain date ‘or else’ they will hit the company with a much larger and more devastating attack. When companies pay up, the hackers take advantage of the situation by returning to extort again. It’s a simple game of squeezing more money once they know they have your attention.

“The most prolific DDoS groups– Lizard Squad, Armada Collective and DD4BC - have been caught and numerous arrests have been made over the past 12 months.  After the last wave of these arrests in December, the global ransom landscape quietened down.

“But last week we saw an exponential rise in the number of DDoS for ransom letters being sent. The first wave of these letters promised an attack by a certain date if bitcoin was not paid.  However, after that deadline passed, no attacks took place.  We then saw a second wave of these ‘fake’ ransom notes going out to a new round of unsuspecting companies.  When examining these notes, we quickly saw a clear difference between the legitimate and the fake ransom notes.

“The latter are being sent by opportunists claiming to be from groups like Lizard Squad, but actually have no official links, or intention of running an attack. They are hoping that their victim will pay up out of fear.”

Radware’s ERT team is concerned that companies will be lulled into a false sense of security with this flood of fake ransom notes. Daniel adds: “It’s only a matter of time before we see a new group attempting to launch a DDoS for Ransom campaign. There’s therefore no guarantee that next time the company will be so lucky as to escape a full-blown attack. And of course, if that does happen, untold damage could be done to company’s network and reputation.”

Radware has issued a guide to spotting a fake ransom letter and information on how to deal with a ransom attack generally.

How to detect a fake:

• Fake hackers request different amounts of money. Armada Collective normally requests 20 bitcoin. Other campaigns have been asking for amounts above and below this amount. Low bitcoin ransom letters are most likely from fake groups hoping their price point is low enough for someone to pay rather than seek profession assistance.
• Real hackers prove their competence by running a small attack while delivering a ransom note. If you can see a change in your network activity then it’s probably genuine
• The fake hackers don’t link you to a website, or have official accounts, a good sign they are not organised
• Real hackers tend to attack many companies in a single sector. Fake hackers target anyone and everyone
• There are subtle differences between a real and a fake ransom note as can be seen in this alert here: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/ransom-attacks/

How to manage a suspected attack:

• Bottom line, whether you think it is real or not, seek expert advice on how to safeguard your network
• Enlist the help of a security specialist who can intervene and protect your network before any damage is done
• Educate employees to check email spam filters regularly so genuine ransom notes are not missed
• Consider employing or consulting with an ex-hacker who can help you spot the trends. If you are uneasy about the risk then work with a partner who is employing the skills of ex-hackers.

Companies can stay on top of the latest information and attacks happening around the world by visiting Radware's Threat Advisories and Reports website or by downloading the Radware app from the Apple Store.