After a brief hiatus, attackers have returned with a series of new DDoS attacks and this time they have introduced a new technique for launching DDoS attacks, which is much more devastating than before.
According to the findings of IT security firm Akamai’s findings, attackers are now launching record-breaking DDoS attacks using a new method where victims are required to pay ransom in order to prevent cyber attacks. The difference is that this time around attackers have managed to embed ransom notes in the traffic itself.
A number of DDoS attacks (distributed-denial-of-service) were launched over the past week against a wide range of targets and the targeted servers were overloaded with fake traffic while the websites were taken offline using Memcached servers, which basically improve the performance of certain websites, to intensify the strength of the attack.
One such massive attack (world’s largest DDoS attack ever) was thwarted by code-sharing platform Github on Wednesday with the help of Akamai. This attack of roughly 1.35 terabytes per second of data is believed to be the biggest ever recorded so far. Akamai security researchers helped Github fend off this attack but while doing so, researchers noticed that hackers are now stuffing the traffic with ransom notes.
It is not uncommon to launch DDoS attacks with an objective of extorting targets with cryptocurrency demands but now the attackers are issuing demands within the inbound traffic flow. As per Akamai, there are over 50,000 exposed Memcached systems that can be exploited to launch massive DDoS attacks.
In its blog post, Akamai noted: “This attack was the largest attack seen to date by Akamai, more than twice the size of the September 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed. Because of Memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long.”
It is worth noting that on February 28th a Russia-based DDoS mitigation firm Qrator also published a warning about the possible threat of huge DDoS attacks using Memcached servers. Qrator stated that the probable possibility of launching high-value DDoS attacks were initially identified by a China-based team of security researchers at 0Kee Team cybersecurity firm while the concept of launching attacks through the exploitation of Memcached servers was introduced in the year 2014’s Black Hat U.S security conference talk entitled “Memcached injections.”
KrebsOnSecurity’s Brian Krebs noted in his blog post that on Thursday a Boston-based cyber-security firm Cybereason revealed that it was closely tracking Memcached attacks lately and that attackers are embedding a brief ransom note and payment address into the junk traffic that is being sent to Memcached services.
As per Akamai’s findings, a note was discovered in a flood of DDoS attack data the purpose of which was to request for payment in crypto-currency. Attackers asked for payment of 50 XMR or Monero that is equivalent to $16,000; a digital wallet address was also included in the note. The note read: “Pay_50_XMR_To…,”.
Cybereason noted that the payment request is repeatedly loaded until the file size reaches one megabyte. Cybereason’s principal security intelligence researcher Matt Ploessel stated:
“The payload is the ransom demand itself, over and over again for about a megabyte of data. We then request the Memcached ransom payload over and over, and from multiple Memcached servers to produce an extremely high volume DDoS with a simple script and any normal home office Internet connection. We’re observing people putting up those ransom payloads and DDoSsing people with them.”
Currently, Akamai researchers are unsure whether organizations have fallen prey to this technique because the payments are required in Monero, which is quite difficult to trace in comparison to bitcoin. But, there is also another complexity associated, which is that attackers also will definitely struggle to identify which victims have paid the ransom given Monero’s anonymity.
Yet, Akamai warned potential victims that ransom payment is not a wise idea because doing so won’t ensure that attackers will stop bombarding with faux traffic. Therefore, companies should avoid giving in to the attackers’ demands.
“If a victim were to deposit the requested amount into the wallet, we doubt the attackers would even know which victim the payment originated from, let alone stop their attacks as a result. Even if they could identify who’d sent the payment, we doubt they’d cease attacking their victim as it was never really about the money anyways,” read Akamai’s official blog post.
Watch attackers sending Monero ransom demand during the attack. This video was recorded by Cybereason and shared by Brian Krebs: