DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai's PLXsert and CSIRT teams continue to investigate attack activity related to the group.
In recent weeks, the frequency of customers receiving ransom emails from this band of chaotic actors has steadily grown. DD4BC continues to inform victims that they will launch a DDoS attack of 400-500 Gbps against them. To date, DD4BC attack campaigns mitigated by Akamai have not exceeded 50 Gbps in size. That's up from the high of 15-20 Gbps observed in early May. (A full history of the group's exploits and firepower can be found in this advisory from April.)
Below are the most commonly asked questions we've received from customers, along with some answers.
What is new since the last update?
The group can now attack with firepower of up to 50 gigabits per second. Additionally, they now threaten exposure to a targeted organization via social media in addition to the DDoS attack itself. The goal is to publicly embarrass the target via social media, thus harming the company's reputation and to garner additional attention towards credibility for the service disruption. Their methodology has also changed in that they are utilizing multi-vector campaigns more readily as well as in some instances re-visiting previous targets that experienced some level of impact during the initial event. We have also observed this group incorporating a Layer 7 attack as part of the multi-vector attack.
What is DD4BC?
The group (or multiple groups) is named DD4BC likely because they threaten to DDoS a target if a bitcoin ransom is not paid. There is no further attribution as to whether this is a single person or group(s), or if they operate from a specific geographical location.
How does it work?
The group will send an email to their target -- often to many general distribution email addresses in hopes that someone will receive, read, and potentially acknowledge it. The email will explain that a small amount of DDoS traffic will be sent to the target's servers and that they should see it in their logs. This is also a test to determine the level of exposure as it relates to potential impact in order to determine whether they need to adjust the type of attack against the targeted organization. The message will further explain that the targeted organization has 24 hours to pay an amount of bitcoin to a bitcoin wallet provided. Although they make the statement that if payment is received a DDoS attack will not occur, we have not observed that to be the case as this tends to motivate them to increase the requested amount of bitcoin. If payment is not received, the attack traffic will begin.
What typically happens after the 24 hours expires and the ransom is not paid?
In some cases, we have seen targets get an extension, but in others the attack has started as early as an hour after the notification was received. Organizations that have decided not to pay will typically receive a follow up email trying to convince them to pay. We have also observed instances where the notifications cease once the attacker realizes that the attack is no longer effective.
How much is the ransom request?
This amount requested varies by organization. However, there is no true rationale as to why they request a specific amount. The only factor that has been consistent is that it will increase with each email notification. We typically see the initial demand requests average 10-20 bitcoin, however we have also observed as low as 1 bitcoin, to as much as 100 bitcoins. The current exchange rate is approximately US $230 per bitcoin.
Is this CryptoLocker?
No. CryptoLocker and similar variants are malware placed on a computer that encrypts the data stored on it. The ransom demand for CryptoLocker is in exchange for the key that decrypts the data. There is no malware involved with DD4BC.
Which industries are affected by DD4BC?
Based on the confirmed attack data on the Prolexic platform, the targeted customers have been from the following industries: banking and credit unions (74%), gaming (15%), media and entertainment (4%), and payment processing (7%). The gambling, commerce, SaaS, education, Hosting/DNS providers, and travel industries have also been targeted but in very small numbers.
Is there a specific geographical region that is mainly targeted?
No. The attacks began with companies in North America and other non-US offshore businesses. They eventually moved on to European, and then focused on Korea, China, Australia, and New Zealand companies for a period of time. In the most recent attacks, US and Canadian countries have been the primary focus however we have observed them continue to impact various organization globally.
What is most effective at mitigating attacks?
For a best solution, Akamai proposes having web properties that run on port 80 and/or 443 on Kona Site Defender with Site Shield properly configured and to have Prolexic Proxy or Routed services ready for other ports and protocols. The attack looks like any other volume-based attack that we have seen, using UDP, SSDP, NTP, DNS, SNMP, ICMP, Chargen and SYN floods. In some instances, we have seen application-layer GET floods using the xml-rpc pingback attack. Attacks are typically targeted at a specific IP address owned by the targeted organization. The targeted IP address is not always the most visible .com site. It can be anything that the group is able to identify and can potentially cause some level of impact to the target.
What happens to the attack traffic when the Akamai and Prolexic solutions are in place?
Akamai or Prolexic customers have not been adversely affected by DD4BC traffic when these solutions are proactively in place. We have also seen the attackers redirect their efforts to alternate organizations once they see the attack is no longer effective and the email notifications as well as the attacks cease.
What should I do if I receive a letter from DD4BC?
If you are currently an Akamai or Prolexic customer utilizing any of our security services please contact the Security Operations Center and make them aware of the active threat. We also recommend that if any routing changes are required by your organization that you also submit a ticket to the SOC identifying the targeted IP listed in the demand email and move traffic onto the platform proactively if you are an "on demand" customer. If you are not a current Akamai or Prolexic customer in any way, you can get in touch with your local Akamai or Prolexic office from here: https://www.akamai.com/us/en/locations.jsp
Should we just pay the ransom?
No. If a targeted organization pays the ransom, there is no reason to believe that the attackers will not return again, and often for a higher amount. Additionally, this could encourage other groups who may use the same name or in some way be associated with this group to threaten your organization and also send attack traffic. These types of attacks only work when the victims make it profitable for them. Not paying the ransom will often lessen the pervasiveness of these attacks.
DD4BC claims they can send 400-500 Gbps of attack traffic. Is that true?
We have not observed anything even close to what is being claimed by this group as the largest confirmed attack to date is within the 50 Gbps range.
What type of attack do they use? What is the attack traffic?
The attack types we have seen include normal layer 3 amplification and reflection attacks. We have seen SYN, SSDP, NTP, Chargen, SNMP, DNS, ICMP and UDP floods. The traffic likely originates from either rented botnets as there are not consistent IP addresses across many attacks.
Please take this group seriously should your organization receive an email notification. The DD4BC attacks are not a hoax, the threat and resulting DDoS traffic is real. Akamai and Prolexic are easily able to mitigate the types of attacks generated by this group and the amount of traffic that they have been able to generate to date is well under the ranges that Prolexic and Akamai platforms are able to handle. If you receive a ransom demand and need to ensure that your organization has the necessary protection in place, please contact your account team or a local Akamai office found here.
Customers: What you can do
The Akamai Security Operations Center is open 24/7, and our vast cloud-based mitigation platform is ready to respond. However, there are some proactive steps you can take:
- Review your playbook with IT and security staff to ensure you are prepared and know what to do in the event of an attack.
- Ensure all contact numbers and email addresses for key staff have been updated and are correct.
- Ensure all critical staff are available - if staff are on vacation or absent due to sickness, make sure their responsibilities are covered by others.
- Stay in close contact with the Akamai SOC and check the Akamai Community Security space for updates. https://community.akamai.com/community/security-research-and-intelligence