DDoS Tsunami

With Kaspersky Labs releasing their malware report focussing on the second quarter of this year as well as research conducted by Cisco and Umbrella there seems to be a marked rise in DDoS attacks. Many of these attacks seem to be originating in Southeast Asia, with many of the attacks targeting businesses and corporations within China.

Most recently there has been a marked rise in the instance of DDoS services for hire. These are sometimes referred to as DDoS booters or DDoS stressors. Many of which have appeared in China seemingly using the same platform. It could easily be assumed that the same authors could be offering multiple services across a variety of platforms. This could be done to increase market dominance, however, researchers at Cisco revealed the opposite to be true.

Similar but different

Researchers began by searching for recently registered domain names using or containing the acronym “DDoS”. What has been discovered is that researchers discovered multiple DDoS-for-hire platforms, all using the same or similar backend, targeting Chinese speaker to purchase the service. A total of 32 of these platforms used the identical back end. This would still lead most to believe that a single threat actor would be behind the entire business.

However, researchers noticed very subtle differences when they registered different accounts on the platforms. While researchers discovered different UI (user interface) tweaks, it was how each platform would handle and process payments that would lead to researchers believing that it is not one by multiple threat actors at work. The use of similar, if not the same UI, even came down to authors using the same admin panel which can be found on a free Bootstrap theme offered by Pixelcave.

Researchers believe that one Chinese speaking actor bought or got their hands on a DDoS source code, translated it into Chinese and began selling it to other Chinese speaking actors. The initial actor may even be providing the source code for free. Such an event can go a long way to describing why there has been a marked increase of DDoS-for-hire schemes as well as DDoS attacks in China.

ddos tsunami

DDoS Attacks on the Rise

In the second quarter of 2017, Kaspersky labs noticed a marked increase in a number of DDoS attacks used for seemingly political ends. The world had already witnessed the attack on Al Jeezera, as well as the French news agencies Le Monde and Le Figaro. Another DDoS attack left British voters from being unable to vote in the Brexit referendum. In another instance, after the Federal Communications Commission announced that they planned to end net neutrality, the public comment section on the website was rendered in operable. As to the reason for the attack, the actual reason is still unknown but it may have been caused by supporters of net neutrality preventing fake comments in support of the commission’s decision being placed on the comments section.

While in the above instances it could be ascertained that there was a direct political aim in the DDoS attacks, the vast majority of such attacks appears to be purely financial. Many of the attacks occurring in the second quarter targeted cryptocurrency exchanges. Bitfinex, the world’s largest Bitcoin exchange, was attacked on the day that it started trading a new IOT-currency. The infamous and now largely defunct BTCe exchange also reported that its services were slowed due to a DDoS attack. The reason for these attacks in an attempt by criminal organisations to unduly influence the market price of the cryptocurrencies. Given the current extreme volatility of them criminals believe that it can easily be done.

There is a downside to hackers and organised crime using DDoS attacks in order to gain financially. As they become more widespread and victims begin to lose ever increasing amounts of money more pressure is placed on law enforcement agencies globally to apprehend criminals responsible for the attacks. The creator of the Titanium Stressor botnet was recently apprehended and sentenced to two years in jail for selling the botnet on the Darknet five years previously while still a student. In Kaspersky Labs’ quarterly report researchers noticed that there were no real technological innovations, however, a new attack vector is been used by criminals. Researchers at Corero Network Security reported that more than 400 attacks in the quarter resulting from misconfigured LDAP servers.

Ransom DDoS

With the rise in the use of ransomware, it was perhaps only a matter of time till a combination of both ransomware and DDoS attacks would be used. The second quarter of the year saw a rise it was has been termed Ransom DDoS. Unlike in ransomware where a ransom is demanded in order to decrypt the victims files or allow access to the victims system, in an RDoS attack a message is sent to a company demanding that a certain amount of Bitcoin be paid by a certain time otherwise the sender of the message will hit the company with a DDoS attack. Often the company in question will be hit a small DDoS attack geared to displaying that the authors of such an attack have the power to cause massive financial harm to the company and paying the ransom might be in their financial interest. Of course, others have seized on the opportunity to send out messages to multiple companies at a time threatening such an attack but with no demonstration as to whether such an attack is possible.

While the technology behind such attacks seems to have stagnated slightly, DDoS attacks still seem to be one of the favoured tools used by cyber criminals. With the rise of so-called Ransom DDoS attacks or RDoS the threat posed by such attacks cannot be underestimated. They have the potential to be used as both political tool and a method of extorting money from businesses. Due to the threat posed by such attacks companies have paid the ransom even if no proof of the attacker’s ability to carry out the attack was witnessed. This could become a new favoured attack method for fraudsters as the mere threat of an attack could result in a ransom being paid.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal