From what we've seen of the attacks so far, there is an almost professional approach to the whole process; initially, an email will arrive at the target explaining who the attackers are and even linking to some blogs that were written about them and their extortion tactics.
The email goes on to state that unless a fee is paid (usually around 40 Bitcoin, but demands can go into the hundreds), a large-scale DDoS attack will be launched. Alternatively, some emails will only arrive after the attack has started, stating that the attack will only be stopped if the ransom is paid, or the severity will be reduced if a portion of the fee is paid.
We've monitored some attacks that start slowly and increase in scale - DD4BC, the company behind the extortion, claims it can launch attacks of up to 400-500 Gbps. Such attacks are very rarely that strong, but they are known to last up to 18 hours, which is definitely enough time to seriously impact a business.
At this point, it seems that no particular industry is being targeted specifically, but there is one general theme. The targets we've seen so far have been those that rely on online transactions to operate, such as financial institutions and currency exchanges.
One endgame to this is that the extortion element could actually be a diversion tactic, meaning the customer concentrates on the sheer volumetric high-end type of attacks, when the offenders are actually targeting a local application with a different attack vector. This means that hackers could be conducting local application level attacks involving any form of penetration into the application itself. So often the target isn't actually to bring down or disrupt a website or service but to gain access to an application in order to steal information, whether it's credentials, financial information, personal data or something else.
It's understandable that some targets may think the email is junk and ignore it, but that's not necessarily the best course of action. Of course, that doesn't mean that paying the ransom is advisable either. That leaves targets with the option of mitigating the attack, despite the emails specifically stating that attempting to mitigate the DDoS attack is pointless. Whilst the protagonists may claim that the attack is too big for even the best technology to cope with, that's just not true.
Mitigation is possible through a combination of on-premises and cloud-based anti-DDoS technologies. A hybrid approach allows a company to mitigate DDoS attacks that are launched from outside the infrastructure and also cope with local-level attacks targeting the application layer.
A DDoS attack of up to 500 Gbps in size can only be stopped with cloud-based technologies. The local network and application level attacks (which will happen if the DDoS is a diversion tactic) has to be stopped with on-premises technologies. So one or the other won't do; a hybrid approach is the key to protecting your business from the ever-expanding arsenal of the cybercriminal.
