Akamai Diversity

The Akamai Blog

Defending Against DD4BC Cyber Attacks

To date, over a dozen Akamai customers have been the targets of DD4BC, a group of cyber attackers who use a series of politely worded, yet increasingly threatening email messages to extort a 25 Bitcoin ransom (approximately $5,750 in US dollars) in exchange for stopping attacks on the victims' sites and number if victims is increasing. DD4BC starts out with what they call "small demonstrative attacks" that will not crash the site and last for one hour "just to prove that we are serious." Those companies that continue to ignore DD4BC's 24-hour ransom demand receive subsequent emails upping the ransom to 50-100 Bitcoins and threatening long-term UDP flood attacks at 400 to 500 Gbps - which they warn will not be easy to mitigate.

Make this "one-time payment" of 25 Bitcoins, the DD4BC extortionists say, and they promise that the victims will "not ever hear from us again." The emails conclude with chillingly devious line, "We do bad things, but we keep our word."

Defeating DD4BC with Akamai cyber defense

So far, DD4BC has attacked companies in specific industry sectors that are most likely to easily raise the Bitcoin ransom, but are not likely to alert law enforcement in order to avoid the bad publicity of a cyber-attack: payment processing, banking/credit unions, online gambling, oil and gas, e-Commerce, and high tech consulting and services. Akamai's Prolexic Security Engineering and Research Team (PLXsert) has observed that the group is expanding to other business sectors. All Akamai customers should be vigilant and aware of these threats, but also be confident that Akamai's DDoS mitigation can defeat anything DD4BC throws their way. Here are the facts:

Akamai can stop their attacks. DD4BC threatens large UPD flood attacks of 400 to 500 Gbps, however Akamai has found no credible proof that this group could carry out an attack of this size. To date, Akamai has mitigated DD4BC attacks that have measured only 7 Gbps. PLXsert has also received credible information that other DD4BC attacks have peaked over 15 Gbps. Is DD4BC bluffing? Don't take the chance. Akamai is ready with the mitigation bandwidth to stop even the largest DDoS attacks. The always-on, built-in protection of Akamai's Kona Site Defender solution absorbs application layer distributed denial of service (DDoS) attacks, deflects network layer attacks, and incorporates a full-featured Web Application Firewall - so your website and web applications are protected against even the largest and most stealthy attacks.

We know how they operate. DD4BC is using an approach known as "express kidnapping" in which they first demand a small ransom that the victim can easily pay. In the attackers' eyes, it's a win-win for both parties. The hackers get quick cash, and the victim undergoes only a small attack with no big losses or law enforcement involvement. DD4BC is likely using publicly available DDoS toolkits or rented botnets from the DDoS-for-hire underground to launch the attacks. The data gathered by PLXsert suggests that some victims have paid ransoms and that copycat hackers may be entering the game once they see how easy it is for DD4BC to profit from this approach.

We know where they are. Based on the latest attacks launched and the IPs correlated in our IP Reputational Database, Akamai has identified over 1,400 IPs most likely coming from booter/stresser sites. Akamai's PLXsert has found that the majority of DD4BC attack traffic - 40% -- has been traced to the U.S., with 22% coming from China, 11% coming from Japan, and 9% coming from Korea.

What you can do

Don't make it easy for DD4BC to win. Don't ignore emails, texts, and other communication that make extortion or blackmail threats. Don't pay the ransom. Always alert IT and the Akamai Security Operation Center that your company has become a live target of DD4BC so that defensive action can begin. In addition, alert law enforcement of this cyber-crime.

Akamai is here to help. Even before an attack occurs, we'll review your cyber defense playbook with your IT and security staff to ensure that your organization is prepared and has a rehearsed response plan in place. We also recommend staying informed on the latest DDoS attack trends and web security vulnerabilities, monitoring your organization's social media page, blogs, and message board for inflammatory chatter, and most of all, validating your DDoS mitigation service on a regular basis.

Read more on the DD4BC threat in the Akamai Security Bulletin: DD4BC Operation Profile.