Ransomware Gangs using DDoS Threats for Extortion

Europol recently published their Internet Organised Crime Threat Assessment report for 2021 which highlights several trends relating to cyber threats, with ransomware yet again featuring prominently in their research. The report notes, among several other trends, that ransomware reports have increased over the 12 month reporting period looked into by the law enforcement organization and that Distributed Denial of Service (DDoS) attacks, or the threat thereof, are being used to place further pressure on victims.

The report also notes that ransomware operators are targeting the supply chains of high-value targets as a means to compromise the target. To that extent, the use of what the report calls “traditional mass-distributed ransomware” is on the decline with ransomware gangs specializing in ransomware-as-a-service favoring hyper-targeted approaches when picking victims.

Ransomware Gangs using DDoS Threats for Extortion

The human-operated ransomware trend continues with gangs targeting private companies, the healthcare and education sectors, critical infrastructure, and governmental Institutions. Europol summarises this approach as,

“The shift in the attack paradigm indicates that ransomware operators choose their targets based on their financial capability to comply with higher ransom demands and their need to be able to resume their operations as quickly as possible. Conti, Maze, Avaddon and Babuk are a few examples of ransomware groups engaged in targeting large corporations, while Ryuk ransomware is notorious for being widely used in attacks specifically against the
healthcare system.”

It is clear that spending more time attacking the types of organizations listed above is proving to be far more financially rewarding. This approach was pioneered by the now-defunct Maze ransomware gang, especially when they adopted the double extortion tactic. This tactic involves threatening to release sensitive data if the ransom is not paid by a deadline.

That being said recent operations by law enforcement organizations across the globe are forcing ransomware operators to consider the possibility of being caught, leaving them to modify tactics in an effort to protect the operation.

Such tactics include specifying certain economic or critical infrastructure sectors will not be targeted, as was seen with DarkSide, later to be linked to the BlackMatter ransomware gang.

Despite certain gangs avoiding certain targets, Europol believes that opportunities have increased for ransomware operators and affiliates. This has in part has resulted in an increase in sophistication as seen by the law enforcement organization.

The rise in opportunities is believed to have coincided with many organizations instituting work-from-home policies following the COVID-19 pandemic, which resulted in holes developing in the organization’s cybersecurity infrastructure as the attack surface is increased drastically. As for the increased levels of sophistication, Europol notes,

“Ransomware attacks have become more sophisticated as criminals spend more time inside the network researching the target and escalating their privileges in order to further compromise the infrastructure and get their hands on more data. Criminals use tools like Metasploit, Cobalt Strike and Mimikatz in their post-exploitation framework for lateral movement inside the network. Additionally, threat actors have started utilising fileless malware (using a system’s native tools to execute a cyber-attack) more extensively to avoid common detection methods that scan for malicious file attachments or the creation of new files. Fileless ransomware attacks use native scripting languages to write malicious code directly into the target system’s memory, or hijack built-in tools like PowerShell to encrypt files.”

DDoS as an Extortion Layer

Since 2020 and the development of the double extortion tactic, ransomware gangs began publishing stolen data via dedicated leak sites. Now the tactic has evolved to include using voice over internet protocol (VoIP) to call journalists or the organization’s clients and business partners in order to place more pressure on the victim to pay.

This is not the only added layer of extortion that has been added to the ransomware threat. There have been several reports that ransomware operators are threatening to conduct DDoS attacks against victims if they do not pay.

A DDoS attack can be seen as a malicious attempt to disrupt traffic to an organization’s internet-facing infrastructure. Often this is done by drastically increasing the traffic to a specific location causing servers to fail and services to be disrupted.

For an organization already suffering service outages from a ransomware attack, the further threat to loss of income will place extra pressure on business leaders to pay the ransom or not.

Ransomware gangs that are known to employ this tactic include Avaddon, DarkSide, Ragnar Locker, and Sodinokibi. Unfortunately, this has caused a spike in the number of victims who have paid the ransom. Europol notes,

“Due to more strategic targeting, the greater time spent before executing attacks, and multi-layered extortion methods, private partners have reported a sharp rise in the number of ransom payments made (over 300% increase) between 2019 and 2020, with known transactions totalling over USD 400 million. Additionally, the average paid ransom amount increased from USD 115 123 in 2019 to USD 312 493 in 2020 (over 170% increase)”

Given the obvious lucrative nature of ransomware for cybercriminals, Europol has also seen a rise in affiliate programs.

While this is not a new phenomenon, over the past year law enforcement has seen different threat groups partnering up along with partnering with certain affiliates to do the initial compromise, stealing of data, and encryption of data. For instance, ransomware has been distributed via Emotet’s infrastructure.

In January 2021, BazarLoader was used in a similar distribution capacity. Further, there have been several reports that suggest Ryuk, Emotet, and TrickBot have entered into a mutually beneficial partnership.

For followers of this publication, many of these trends will not come as a surprise as specific instances have been covered. However, Europol confirming these trends using the figures they have on hand, confirms that what we perceive as isolated instances are in fact trends shaping the ransomware landscape.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal