In late March, the FBI issued an advisory detailing the tactics of a ransomware gang that has been targeting victims in critical infrastructure sectors, including financial services, manufacturing and government. In some cases, the FBI explained, ransomware operators will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations over the payout.
The alert provides the latest evidence of the increasing sophistication of ransomware gangs, who have evolved from primarily using encryption to hold companies’ files hostage, to combining encryption with data theft, and more recently adding DDoS to the mix. In addition to launching their own attacks, these gangs often sell their software to other criminals, packaged as ransomware-as-a-service (RaaS).
As a result, ransomware attacks are more frequent and varied. And they’re already incredibly costly to their victims. The total average cost of a ransomware attack in 2021 was $4.62 million, according to IBM’s Cost of a Data Breach Report.Tacking on a (threatened or actual) DDoS attack takes cyber extortion to the next level.
How DDoS is Supercharging Ransomware
DDoS exploits – in which attackers overwhelm a targeted server, service or network with a flood of traffic from multiple systems – are among the oldest forms of cyberattack. In the early days, they may have been used for hacktivist efforts or cyber vandalism. Ultimately, DDoS evolved into a tool for cyber warfare and extortion.
While DDoS threats never went away, a rise in machine-to-machine communication, along with a growing network of potentially unsecured connected devices, has enabled cybercriminals to develop more powerful botnet-enabled DDoS approaches in recent years. The Covid-19 pandemic fueled an uptick in DDoS attacks, according to reporting by CSO, and the last two years have seen the old-school approach reemerge stronger than ever – both in terms of number and size of attacks.
DDoS can become part of the cyber extortion mix in a number of ways. In some cases, cybercriminals have used the attack itself (or threat of it) for extortion purposes, crippling an organization’s networks with an offer to relent for the right price. This method has a lower barrier to entry than coupling DDoS with encryption, since DDoS services are widely available on the Dark Web for as low as $7 per attack, CSO pointed out. In time, if companies keep getting better at preventing encryption-based ransomware attacks, straight DDoS extortion could grow.
Smaller, more targeted DDoS attacks may also be launched as cover for the infiltration of malware or exfiltration of data necessary to launch a ransomware exploit. Then, there’s the approach described by the FBI, in which ransomware gangs will threaten (or launch) a DDoS attack to pressure victims during negotiations. Dubbed a “triple extortion threat,” the attackers encrypt and often exfiltrate the organization’s data and – if the victim is not forthcoming with the ransom – they use a DDoS attack as additional persuasion.
Email Security: The First Line of Defense
The brute force of DDoS attacks and encryption-based ransomware – on their own or in combination – is unlikely to abate anytime soon. While cybercriminals are seeing increasing success with their efforts, protecting against these attacks comes down to some long-touted best practices regarding email infrastructure and inbox vigilance.
The vast majority of cyberattacks begin with a phishing email to an unsuspecting victim. In fact, email is the top infection vector for ransomware incidents, according to a 2021 advisory from the Cybersecurity and Infrastructure Security Agency. An email lures the recipient into opening infected attachments, clicking on malicious links or revealing their passwords. Some ransomware is using email in new ways (for example, entering networks via encrypted emails), to avoid email security filters.
On the DDoS side, attackers may send personalized emails threatening an attack as a way to extort money or, if an encryption attack is already in progress, to double down on companies that are slow to hand over demanded ransom. The DDoS attack itself will often begin with the infection of email-delivered malware capable of self-propagating on the network.
Because the bad guys use email as their way in, mitigation efforts must focus on email security technology as a primary prevention measure. Tools with functionality like Mimecast’s targeted threat protection stay up to date on the most common cybercrime techniques used by hackers – malicious URLs, weaponized attachments, and social engineering – while scanning all inbound email and blocking, quarantining or tagging suspicious emails to help prevent attacks on a company’s network. Security technologies can also help prevent DDoS attacks directly aimed at shutting down an organization’s email infrastructure.
The Bottom Line
Cyber attackers are always looking for more effective – and profitable – attack vectors to pursue. Right now, hybrid ransomware approaches involving encryption and DDoS are near the top of the list. Staying informed about these evolving threats and investing in technologies to defend against them are critical in protecting your company. Explore Mimecast’s email security options and see how they can help.
 “Joint Cybersecurity Advisory: Indicators of Compromise Associated with AvosLocker Ransomware,” FBI
 “Cost of a Data Breach Report 2021,” IBM
 “The Rise of DDoS: Flooded Networks, Downtime and How to Bolster Protection,” Infosecurity Magazine
 “DDoS attacks: Stronger than ever and increasingly used for extortion,” CSO
 “Denial of Service Attacks Expected to Get Bigger, Nastier,” Data Center Knowledge
 “How Ransomware is Teaming Up with DDoS,” Infosecurity Magazine
 “Welcome to the new world of triple extortion ransomware,” Security Magazine
 “91% of all cyber attacks begin with a phishing email to an unexpected victim,” Deloitte
 “CISA, FBI, NSA and International Partners Issue Advisory on Ransomware Trends from 2021,” Cybersecurity and Infrastructure Security Agency