top of page
  • Writer's pictureORNA

Ransom DDoS Attacks as a Lucrative Attack Vector

Let’s talk about botnets. These nasty little programs are possibly the second most powerful leveraging weapon to zero-day exploits in the hands of hackers.

That’s because of the broadness of their utility, and when all contingencies have failed, launching a distributed denial of service attack (DDoS) is often a viable solution in neutralizing a target.

The term “botnets” is a compressed phrase derived from a robot network. These can be described as a kind of malicious backdoor program that has the ability to infect any number of devices that can be controlled simultaneously from one centralized control location, called a Command and Control (C2) server.

Attacks are launched from multiple remote locations from computers or devices that have been hijacked by the intruder, which is manipulated into distributing massive amounts of data packets. This is in order to flood the resources of a target website with an overwhelming amount of HTTP requests, like a sudden surge of website visitors that’s generating too much traffic for the server resources to handle.

Ultimately, the server shuts down, and legitimate access to users is denied.

If only that’s all they were capable of doing. I used to use bots back in the day, but mostly to shut down competing hacker podcast streams. Most botnet servers are open-source and are available for anyone to download and tinker with.

This means anyone can get their hands on them, and it doesn’t necessarily take a genius to figure out how to modify the source code, crypt it, and compile it into an executable, ready to be implemented in various spreading vectors.

Botnets and Their Attack Utility

Bots are like Swiss Army knives. They can be used to scan networks and launch additional attacks. This can be useful because the C2 server can serve as a kind of barrier between a threat actor and the target, assuming the hacker practices good OPSEC and doesn’t flop on maintaining the integrity of their anonymity.

Most botnets come with some form of spreading capability as well. After all, the more the botnet server is able to proliferate by seizing control over other systems, the larger the botnet pool becomes.

More bots mean more firepower. More accounts can be compromised. Each computer or device in the robot network is transformed into a weapon that is used against the victim, and other users abroad.

Bots can be used to turn infected systems into a crypto-mining operation. They can capture the keystrokes of an unsuspecting user’s sessions, perform system tasks, and while the list describing their versatility can go on, these malicious programs can also leverage entire web servers by pummeling them to death, effectively taking them offline and denying access to services.

I think it’s worth pointing out that botnets are not only used for malicious purposes. They can be used in an ethical way by providing a secure connection to a remote system for auditing and monitoring purposes, as opposed to using commercial tools. But to do so would definitely be a very hacker thing to do, and admitting to something like that might raise some eyebrows for sure.

Ransom DDoS Attacks Explained

A recent study centered on cyber-attack trends showed that Ransom DDoS attacks outlined a 29% increase year-on-year between the third quarter of last year, with a whopping 175% increase by the fourth quarter.

According to an annual survey from Cloudflare, DDoS attacks associated with threats of extortion are on the rise. This is being coined Ransom DDoS attacks. Also, a report published last September by cybersecurity researchers at Netscout showed that the first half of 2021 saw 5.4 million DDoS attacks on record, representing an 11% increase in contrast with the same timeframe the year prior.

Ransom DDoS attacks occur whenever a company or business is extorted by cybercriminals who attempt to shake down the company with large payouts or else they launch the attack. But this is only a single scenario.

Sometimes the attacker will blast the target, before demanding payment as a means of flexing their power to add credibility to the threat when payment is demanded. It isn’t uncommon that the attacker isn’t capable of launching the attack for some reason, yet issues the threat anyway, under the premise that attacks will follow unless the demands are met.

Over a decade ago, this was a very lucrative attack vector performed against illegal online gambling casinos operating in the United States, which continue, to some degree, to be a ripe target. This is because illegal online casinos had no way to report it to authorities without jeopardizing their operations and being the ones carted away in handcuffs. However, only a few select States have legalized online betting.

Take, for example, Amazon, which earns $638 million in revenue daily. If all online transactions involving Amazon services stopped working for a day, a disruption of any kind would amount to a heavy loss, especially if it involved a security incident of any kind.

Attacks of this nature are easy to execute and don’t require much sophistication in order to launch. Aside from the programmer who coded it, there are plenty of tutorials online that can help guide anyone, from the researcher to the threat actor, in compiling, crypting, and launching the malicious code.

From my own experiences as a threat actor, attacks like this were made possible because of collaborating individuals within a private hacking community. One person programmed the malware, another person modified the script to privatize all the administrative controls or commands in order to communicate with the bot.

There was someone who knew how to crypt the source code from being stolen and to be able to protect the commands, and another person responsible for setting up the C2 server so all the bots that would soon be spread would know where to connect to, so the hackers could interface with the infected machines.

Who spread the bots was up to who had the most skill at infiltrating popular services, infecting online app downloads, or important updates. Therefore, there are oftentimes a lot of communal mechanisms at work during the research, stages of development, and deployment of botnet programs.

Regardless of what threat actors are doing, what's significant is having an actionable Incident Response plan ready to deploy in the event that your company or business finds itself in the crosshairs of cybercriminals.

Low-intensity attack scenarios can be simulated by Red Teams in order for Incident Responders to train and prepare for all possible contingencies for mitigation, as well as to ensure there will be no downtime suffrage.

Removing the leverage sought by cybercriminals is paramount. The shift of power should begin at the Incident Response level, long before a security incident begins.

An article by

Jesse McGraw

Edited by

Anne Caminer




Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page