For almost as long as they’ve existed, DDoS ransom notes have been a joke. At least to anyone with any level of DDoS protection, or any understanding of how these extortioners operated. Some bored individual would pay his or her $12 to a DDoS for hire service and start flinging short burst, low volume demo attacks around the internet while sending pay up or ELSE emails with various levels of misspellings. 

Often that short burst, low volume warning shot was all that would come from these would-be attackers, and if the promised DDoS punishment came it was just another short burst, low volume attack that could be shrugged off with ease by even low-level DDoS protection. 

However, times are changing, and as they tend to on the internet, they’re changing rapidly. Thanks to an advancement in DDoS attacks, DDoS ransom notes aren’t so funny anymore. 

Return on investment

Laughable though they may have been to some, DDoS ransom notes became quite common, and there are good reasons for that. DDoS attacks are well-known for the immense damage they can do, so if a website or business owner didn’t know the truth behind most of these threatened attacks, he or she had good reason to fear them and would pay up to try and head off any damage. With a DDoS for hire service these attacks were also relatively cheap and easy to accomplish. No special skills were necessary, and no effort was expended putting together a botnet since someone else had already done it.

For more serious attackers capable of building a botnet, it largely wasn’t worth going the extortion route. Better money could be made selling powerful, targeted DDoS attacks on the dark web or by renting out botnets in those above-mentioned DDoS for hire services. Why go to all that trouble putting together and running a massive botnet capable of serious attacks for such a low potential ROI? The pros were left with two basic choices: either forget about the DDoS ransom note game, or find a way to take the botnet hassle out of launching huge attacks capable of doing damage people would pay to prevent. 

Guess which option they opted for.

The amplification factor

News broke recently about a new DDoS attack type, one that required very few computing resources from attackers in order to produce an attack of epic proportions. It’s called the Memcached attack, and it’s been used to smash the previous distributed denial of service attack record of 1.2 Tbps with first a 1.35 Tbps assault, and then a 1.7 Tbps punisher. 

The previous record-holding 1.2 Tbps attack was made possible by Mirai, an IoT botnet consisting of hundreds of thousands of devices. There’s no estimate on how many devices were involved in the new record-setting attacks because 1) it probably wasn’t many and 2) it doesn’t really matter. What does matter is that attackers figured out they could spoof their victim’s IP address and send requests for statistics to Memcached servers, which are free, open-source and public-facing servers that store incredible amounts of cached content in order to speed up website performance. By pretending to be the victim website and pretending to want those huge amounts of cached content, attackers only have to make a handful of requests to a handful of servers to easily unleash attacks in sizes the internet has never seen. 

Memcached attacks are what’s known as amplification attacks, and of all the amplification techniques, Memcached is number one. While the number two amplification technique has an amplification factor of 557 times the original payload, Memcached attacks boast an amplification factor of anywhere from 9000 to 51,000.

Making Monero

A number of attackers with the know-how to produce Memcached attacks are now using the technique for DDoS ransom attacks. The ransom note demanding payment in a hard-to-trace cryptocurrency called Monero, is embedded right in the code of the attacking, ensuring that any security personnel struggling to deal with the attack will see it. At the time these attacks started, the notes were demanding 50 Monero cryptocoins, worth roughly $16,000 USD.

Unlike the old breed of DDoS ransom notes, these ones appear in the midst of a serious attack, often of a size that anything but leading cloud-based mitigation would struggle to deal with, making downtimes and serious financial consequences a stark reality. Even so, the DDoS ransom note advice remains the same: under no circumstances should you pay the ransom. Not only does this mark you as an unprotected target, but Monero is so hard to trace, attackers likely won’t even know which company is paying the ransom and probably won’t stop the attack.

If you’re going to spend money in the midst of a big-time Memcached attack, it should be in onboarding that leading cloud-based DDoS protection with a network of scrubbing servers each capable of processing over 500 million packets per second and over 400 gigabits per second. With that kind of protection on your side you can go back to laughing at any and all DDoS ransom demands.