DDoS for Extortion: How to Fight BackInsights on How to Respond to the 'DD4BC' Threat
In the last three weeks, law enforcement agencies throughout the world have been warning banking institutions and businesses about extortion attacks being waged by an entity known as DD4BC, or DDoS for Bitcoin.
See Also: Rethinking Endpoint Security
DD4BC, which emerged in July 2014, has been targeting online casinos, betting shops and most recently banking institutions with distributed denial-of-service attacks that disrupt online services until a ransom is paid. Although these attacks have been waged for a year, authorities are still unsure of who is behind them or where they're based.
Law enforcement and regulatory agencies around the world are advising organizations to not pay ransoms to DD4BC. Instead, organizations should immediately contact their Internet Service Providers to see if they filter traffic to mitigate online downtime, as well notify their local police department.
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, noted in an interview with Information Security Media Group last week that some top-tier banks that had recently been hit by DD4BC were paying ransoms of up to $5 for every $100 worth of damage or loss due to downtime they could suffer if the attack were to continue.
Back in April, the DDoS-mitigation firm Arbor Networks posted an update about DD4BC's shifting attacks toward banking institutions.
DD4BC's Crime Spree
Global concern about DD4BC is growing, spurring international law enforcement agencies and security researchers to combine their efforts to catch the group or individual behind the ransom campaign, says Roland Dobbins of Arbor Network's security engineering and response team.
"We aren't sure if it's a small group or a single individual," Dobbins says. "But DD4BC aren't 'hacktivists'; they're straight-up criminals engaging in the online equivalent of the 'protection' racket. It's safe to say that the various law enforcement agencies and security researchers looking into DD4BC will be utilizing every piece of information at their disposal in order to form a clearer picture of DD4BC."
Unlike the DDoS attacks waged against leading U.S. banks in 2012 and 2013 by the self-proclaimed hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters, which apparently were waged for political reasons, DD4BC's attacks are solely for monetary gain, Dobbins says.
"Extortion is literally criminal, because it affects the targeted organizations and their customers - e.g., ordinary people who want to pay their online bills, but can't due to disruptions caused by the attacks," Dobbins says. "There is significant collateral damage and impact from DDoS attacks, which disrupt Internet traffic and access to services and applications that are unrelated to the actual targets of the attacks."
But Dobbins says DD4BC's attacks have not involved the exfiltration of data or malware. "DD4BC is not engaging in malware attacks to steal information and then blackmail the organizations with threats to release it, as far as anyone with direct knowledge of their activities knows," he says. "DD4BC, as the moniker implies, is strictly DDoS-only, as far as anyone has been able to verify; there are zero credible indications they've branched out beyond DDoS, which is plenty serious."
On Aug. 5, the Swiss Governmental Computer Emergency Response Team warned that attacks waged by DD4BC against European businesses had recently picked up. The team advised businesses not to pay the ransom, and instead talk with their ISPs about mitigation techniques, such as IP-based rate limiting or temporary geo-IP address filtering.
"In addition, we recommend to file a criminal complaint at your local police," the team notes.
Then, on Aug. 13, police in Guernsey, located off the coast of Normandy, issued a warned about DD4BC attacks increasing in frequency and number and noted that attacks had shifted from online casinos and betting shops to prominent financial institutions across the United States, Europe, Asia, Australia and New Zealand.
"DD4BC emailed an extortion notice to several local firms, followed by an active demonstration of their capabilities," the police alert states. "DD4BC says in the email: 'Don't worry, it will not be hard and will stop in 1 hour. It's just to prove that we are serious.' The group asks for 30 bitcoins, with a threat that the price goes up if the company does not pay within 24 hours. While none of the attempts - all made during the last six weeks - have been successful, the instances highlighted the importance of Bailiwick companies being prepared. We would recommend that any local firm reliant on maintaining Internet access employ anti-DDoS technology."
In mid-June, the U.S. Financial Industry Regulatory Authority issued a similar warning, noting that several of its member firms had reported being targeted by DD4BC.
"A successful DDoS attack renders a website or network unavailable for its intended users by overwhelming the site with incoming messages," the warning states. "It appears that DD4BC has been targeting financial services/broker-dealer firms that have an online presence."
FINRA recommends that institutions that receive communications from DD4BC contact the Federal Bureau of Investigation and the Securities Exchange Commission, as well as the authority. It also says institutions should prepare DDoS response plans, which include mitigation and monitoring tools, ISP traffic filters and contingency plans for communications with customers when websites are unavailable.
Finding Those Behind DD4BC
If global law enforcement agencies and groups pool their efforts, they eventually will be able to track down those behind DD4BC, says Andrew Komarov, president and chief intelligence officer of the enterprise threat intelligence unit of security firm InfoArmor. "Unfortunately, using cryptocurrencies has made bad actors pretty anonymous," he says. "They change wallets and generate new IDs for transactions, that's why it is pretty hard to trace the funds and to get any identity behind it."
Komarov contends the best way to stop DD4BC is to have cryptocurrencies like Bitcoin controlled and regulated by the government.
"Right now it is possible to use cryptocurrencies without any authentication and identification, which simply makes the doors for cybercriminals open for further crimes, including activities similar to DD4BC," he says.
Tom Kellermann, chief cybersecurity officer at security firm Trend Micro, says the growing impact of DD4BC on targeted organizations could be a catalyst for closer international collaboration among law enforcement agencies to catch cybercriminals.
"A targeted organization could end up on the receiving end of their extortion and denial-of-service attacks, which can be very detrimental in keeping their daily online operation functional and available to customers," Kellermann says. "Depending on your Internet-facing business, this could end up being financially impactful and interrupt normal business operations."