Akamai Diversity

The Akamai Blog

2020 DDoS Extortion Campaign -- A Sequel More Thrilling Than the Original

Costarring Susan McReynolds and Tom Emmons

As you might imagine, as the go-to enterprise DDoS mitigation experts, our phones have been "ringing off the hook" as the global extortion DDoS campaign sequel rages on. It's bigger, badder, and features a broader cast of criminal characters than seen previously with last year's extortion-related activity

DDoS Extortion Blog, 10.27_pic1.png

And as a direct result of this campaign, we've seen a ton of new and expanded customer activity as organizations suddenly needed additional defensive controls for internet-facing assets, pronto. The following stats need to be updated almost daily with enterprises across all verticals still being targeted by the threat actor groups:

  • New Prolexic Data Center DDoS Protection Customers: 30+
  • Existing Prolexic Customer Upgrades: 10+

In fact, we've done more than 30 emergency turn-ups -- three for stock exchanges alone.  

The following scripts are true, but the names have been changed to protect the identity of the organizations affected. Let's take a closer look behind the scenes. Action!

Scene 1: When threat actors play villain

Like many businesses impacted by the COVID-related downturn, We'll Be Fine, Inc. experienced significant downsizing as a result. As a cost savings measure, the company decided not to renew the Prolexic portion of its security services contract. It justified this decision by the fact that it had never experienced a DDoS attack and would therefore just assume the risk moving forward. 

By the middle of August, that was no longer the case, when an executive received the DDoS extortion email. A short time later, We'll Be Fine, Inc. was hit by a DDoS attack that had a significant impact on its infrastructure. While its WAF solution deflected malicious traffic targeted at web-facing properties, the attackers homed in on the company's data centers and launched a DDoS attack across all ports and protocols. Immediately, the customer contacted Akamai, and by the next morning its integration requirements had been documented by the Prolexic specialist team.

That same day, the organization received another email from the attackers stating it would get hit again if extortion demands weren't met. Because the impending threat was considered real and it was believed that the attackers would follow through, We'll Be Fine, Inc. deployed Prolexic always-on emergency turn-up services to protect its internet-facing infrastructure before the next extortion deadline. While the customer did see some unusual spikes in traffic, the attackers didn't attempt the follow-up attack as threatened, most likely because Prolexic defenses were already in place.

Our Cutaway:
Threat actors from the DDoS extortion campaign continue to pivot across industry verticals and attack organizations previously considered "low-risk" targets for DDoS. It only takes one DDoS attack for you to know you need mitigation controls in place. DDoS mitigation solutions should be viewed as an insurance policy to help keep internet-facing assets protected and threat actors deterred. And as we've seen in other Prolexic emergency turn-up situations, once controls were in place, the attackers rarely followed through on their threats.

Scene 2: Why you need the big guns as the hero

As a result of the DDoS extortion campaign, Need Help Now, LLC was hit with sustained DDoS attacks for more than a week, impacting customer-facing services and availability. The organization's existing DDoS protections were not powerful enough to mitigate the severe attacks. When the company looked to procure additional defenses, it was informed it would take 10 days to have new services up and running -- a risk the company was not willing to take.  

Upon receiving an industry referral, Need Help Now, LLC immediately contacted Akamai to procure emergency integration of its Prolexic DDoS mitigation platform. Within a matter of hours, the company was onboarded to the Prolexic platform, and the threat actors were no longer able to disrupt mission-critical, internet-facing infrastructure.

Our Cutaway:
Akamai's purpose-built Prolexic DDoS mitigation solution is all about having the right platform, people, and processes in place to keep internet-facing assets protected in times of customer crisis. Unlike other providers, we provide a fully managed solution that enables our SOC to act as an extension of a customer's incident response team. The white-glove level of service we provide (even during emergency integrations) combined with our DDoS mitigation expertise drives real value for our customers.

Scene 3: When time is of the essence to survive

When Time Is Money Industries received the DDoS extortion letter warning of an impending attack, it realized it might be in trouble. A few hours later, the threat actors targeted and took down its DNS infrastructure and saturated its internet routers with a DDoS attack. When the second email arrived from the extortionists and demanded bitcoin payment, and with data centers taken offline by the initial "show of force" attack, the company knew it  needed to act quickly to procure DDoS defenses.

When the organization approached Akamai, it had been considering another vendor's deployment and noted the driving factors in making its decision would come down to the level of support provided and the time to implement DDoS protection. Upon speaking with Akamai on the initial emergency turn-up discussion call, the Akamai and Prolexic account teams provided an unrivaled level of service and technical expertise, giving Time Is Money Industries the confidence that Prolexic was the right platform to deliver the quality of mitigation it needed to quickly defend against an impending attack. Within a matter of hours, the company was under Prolexic DDoS defense. Now that's rolling out the red carpet.

Our Cutaway:
Comprehensive protection requires a holistic approach to protecting DNS, web properties, and internet-facing assets from DDoS attacks. With this extortion campaign, attackers are doing their homework and researching customer environments to determine what is and isn't protected. Deploying Prolexic protection across all ports and protocols complements WAF (Kona) and DNS defense (Edge DNS) to help provide DDoS defense in depth for customers. 

While many extortion campaigns remain active until arrests are announced, organizations can fight back by having an experienced DDoS mitigation partner in place. Check out our DDoS Extortion Battle Plan for proactive tips on how to improve your defensive posture. 

The bottom line: To keep today's business-critical assets up and running, enterprises -- both large and small alike -- need access to high-quality mitigation controls, platform scale, and the expertise to stop DDoS attack campaigns in their tracks. If you are currently under attack or threat of extortion, reach out to the Akamai DDoS hotline, 1-877-425-2624, for immediate assistance.

Roll Credits:

While the attacks were frequent, large, and persistent, we are seeing less and less activity as the threat actors shy away from customers routed over Akamai networks. This is almost certainly due to our success in proactive mitigation controls, having mitigated over 90% of the threats through our 0-second SLA.

DDoS Extortion Blog, 10.27_pic2.png

DDoS Extortion Blog, 10.27_pic3.png

Deleted Scenes:

For more technical details and additional resources, please see the following blog posts:  

DDoS Extortion Examination

Unprecedented Levels of Ransom DDoS Extortion Attacks

Ransom Demands Return: New DDoS Extortion Threats from Old Actors Targeting Finance and Retail

Click here to register for a custom threat briefing.