South African bank tells its tale of battling ransom attacks

Since November 2015, this bank has fought off groups looking for money.

Editor's note: Due to an error by the source, the bank's name has since been removed from this story.

In November of 2015, a bank in South Africa received a ransom email from the Armada Collective, which was quickly followed by a teaser flood attack that the bank proactively mitigated. Sort of a shot across the bow to make sure the bank knew the criminals were serious.

Bank officials didn’t flinch. According to a verbatim in Radware’s recently released Global Application & Security survey, the bank detected and mitigated the teaser flood attack before officials discovered the email, which had been sent to an unattended mailbox while the company was closed. With a hybrid DDoS mitigation solution in place, the flood attack had no impact and was immediately diverted to a scrubbing center for cleanup.

The report revealed that ransom attacks are by far the most prevalent threat—growing from 25% of attacks in 2015 to 41% in 2016. What’s driving the increase? Cyber ransom can be a highly lucrative “business.” It is faster, easier and cheaper than ever to execute this form of extortion, which gives its victims a very short window to respond before suffering what could be a devastating disruption to systems and day-to-day operations.

Keep in mind these ransom email attacks are different from the common ransomware that today can hold companies' data hostage until money is paid.

A senior network architect explained in the report because the bank is located in South Africa, the organization is geographically separated from the rest of the world. This has implications on both the organization’s ability to protect itself (for instance, in terms of latency in times of diversion) and also limits the ability of hackers to use volumetric attacks; hackers can’t get even half a terabyte of traffic in South Africa.

“For us, a teaser attack may bring 300 megabytes of traffic. As a safety precaution, when we receive a flood attack and ransom note, we divert network traffic to the scrubbing center of our DDoS mitigation vendor, Radware, before the ransom payment deadline. We believe that hackers executing the ransom attack will observe the traffic being diverted and will realize the futility of launching a teaser attack,” the network architect said.

The bank also believes that it sends a signal to Armada Collective and other ransom groups. “By taking powerful and decisive action, we send the message that we won’t be victimized.”

In April of 2016, the bank received another ransom email purporting to be from Lizard Squad. The bank learned through a local banking risk management association that the emails were from a copycat. Since it was identified as a hoax, the bank decided not to divert traffic. However, they did receive a small teaser attack and relied on Radware’s Emergency Response Team for support.

Since the beginning of 2016, the diversity of attack vectors has increased and the bank has experienced a fourfold increase in burst attacks. At the same time, attacks lasting more than an hour are decreasing. The trend seems to be shifting toward very short, “hit and run” assaults.

radware DDoS Radware

Yet not all attacks are burst attacks. In September 2016, the bank received an attack that was relatively small (only 2G-3Gbps) but lasted over four hours and gradually evolved in several stages. First, bank officials noticed that some of the attacks were ping-back attacks. They experienced attacks of 16,000 SYN connections—big for South Africa—which were mitigated via our on-premises DDoS protection appliance.

After the Half-SYN attack, there was an HTTP flood with about 2,000 sources in the attack, which was also successfully mitigated. However, the bank had difficulty mitigating the full HTTPS flood attack.

“It was the first time we experienced an encrypted attack, highlighting the need for dedicated protection against encrypted attacks that leverage SSL standards to evade security controls. Normally the bank faces UDP fragmented attacks followed by a DNS reflective attack. In this case, we were hit with a typical SSL attack that we were not prepared to mitigate,” according to the Radware report.

Typically attacks only last three to four minutes and immediately follow each other, but this SSL attack lasted an hour and a half, putting the bank's defenses under tremendous stress because of the computing resources the attack consumed. The bank generated so much response load that it pushed its outbound connection to its limit; it tripled our usual throughput.

Lessons learned

The year 2016 saw an explosive rise in extortion threats, which eclipsed most other types of cyber-attacks. Radware found in its survey that 56 percent of organizations reported being the victim of a cyber-ransom attack and 41 percent of organizations mark ransom as the greatest cyber threat facing their organization (versus 25 percent in 2015). Here are some lessons the bank learned:

1. The benefits of behavioral analysis over rate-limiting analysis.

In the past, the bank tested a DDoS mitigation solution that leveraged rate-limiting technology and discovered that using behavioral analysis provided a significant advantage. Since it doesn’t block legitimate traffic, it enables the bank to maintain its service levels.

2. The importance of time to mitigation.

By having the ability to develop attack signatures in real time, the bank has been able to mitigate attacks in as little as 20 seconds.

Primary actors

Radware has identified some of the primary groups that carry out ransom DoS attacks:

Armada Collective: Armada Collective is arguably the best known—and most imitated— gang of cyber criminals. With a typical ransom demand of 10 to 200 Bitcoin (about $3,600 to $70,000), this gang often accompanies its ransom notes with a short “demo” or “teaser” attack. When time for payment expires, Armada Collective takes down the victims’ data centers with traffic volumes typically exceeding 100Gbps.

Apparent copycats have begun using the Armada Collective name; one early tactic involved attempted extortion of about $7.2 million from three Greek banks.

DD4BC: This cybercriminal group, whose name is an acronym for “distributed denial of service for Bitcoin,” started launching Bitcoin extortion campaigns in mid-2014. Initially targeting the online gambling industry, DD4BC has since broadened targets to include financial services, entertainment and other high-profile companies, Radware claims.

ezBTC Squad: Instead of using email messages, this group of cybercriminals is using Twitter as the vehicle for delivering itsRDoS threats. Others are following suit.

Kadyrovtsy: Named after the elite forces of the Kadyrov administration in Chechnya, Radware says this is one of the newest groups to emerge on the RDoS scene. It recently threatened two Polish banks and a Canadian media company. The group even launched demo assaults (15G-20Gbps) to prove its competence, much like the Armada Collective.

RedDoor: RedDoor issued its first threats in March 2016. Per the “standard,” these criminals use an anonymous email service to send messages demanding a ransom of 3 Bitcoin. Targeted businesses have just 24 hours to wire the payment to an individual Bitcoin account.

Beware the Copycats: “Copycats” are compounding the RDoS headaches, Radware reports. These players are issuing fake letters—hoping to turn quick profits with minimal effort. Here are some tips to detect a fake ransom letter:

  1. Assess the request. The Armada Collective normally requests 20 Bitcoin. Other campaigns have been asking for amounts above and below this amount. Fake hackers typically request different amounts of money. In fact, low Bitcoin ransom letters are most likely from fake groups who are hoping their price is low enough for someone to pay rather than seek help from professionals.
  2. Check the network. Real hackers prove their competence by running a small attack while delivering a ransom note. If there is a change in network activity, the letter and the threat are probably genuine.
  3. Look for structure. Real hackers are well organized. Fake hackers, on the other hand, don’t link to a website, and they lack official accounts.
  4. Consider other targets. Real hackers tend to attack many companies in a single sector. Fake hackers are less focused, targeting anyone and everyone in hopes of making a quick buck.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)