Security Alert: DD4BC targets companies with complex DDoS attacks
How cybercirminals extort companies for Bitcoins
You’re the CEO of a mid-sized or large company.
Every day, you check your inbox in the morning. It’s reflex.
While scrolling through, you come across a very peculiar email that says:
“All your servers are going under attack unless you pay 40 Bitcoin.”
At first, you think it’s some kind of stupid joke. But after reading the rest of the email, you call your CISO.
“We have a situation. It’s urgent!”
That’s what major companies have been going through the past couple of days.
Our team of researchers have received reports that confirm that DD4BC – a notorious cyber criminal group – is targeting Scandinavian companies with complex DDoS attacks.
The looming DDoS attack
DD4BC is threatening multiple big organizations all over the Scandinavian peninsula with distributed denial-of-service attacks. While we cannot disclose the targets’ identities for confidentiality reasons, it is important for all the companies which may become a target to acknowledge the threat.
What is DD4BC?
DD4BC is a group of highly sophisticated and aggressive cyber criminals, who chooses to blackmail specific companies by asking them to pay bitcoins to avoid their central services being subject to DDoS attacks.
The cyber criminals’ method is to launch a massive and violent DDoS attack against a selected target that lasts approximately 1 hour. Being an unexpected and especially violent and extensive attack, the onslaught usually brings down vital business services, causing disruption and financial loss.
After this initial attack, the group sends the victim a blackmailing email that reads as follows (sanitized by Heimdal Security):
To introduce ourselves first:
Or just google “DD4BC” and you will find more info.
So, it’s your turn!
All your servers are going under attack unless you pay 40 Bitcoin.
Pay to [removed by Heimdal Security]
Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps.
Right now we are running small demonstrative attack on 1 of your IPs: [removed by Heimdal Security]
Don’t worry, it will not be hard, since we do not want to crash your server at this moment, and will stop in 60 minutes. It’s just to prove that we are serious.
We are aware that you probably don’t have 40 BTC at the moment, so we are giving you 24 hours to get BTC and pay us.
Find the best exchanger for you on http://howtobuybitcoins.info or http://localbitcoins.com You can pay directly through exchanger to our BTC address, you don’t even need to have BTC wallet.
Current price of 1 BTC is about 230 USD, so we are cheap, at the moment. But if you ignore us, price will increase.
IMPORTANT: You don’t even have to reply. Just pay 40 BTC to [bitcoin address] we will know it’s you and you will never hear from us again.
We say it because for big companies it’s usually the problem as they don’t want that there is proof that they cooperated.
If you need to contact us, feel free to use some free email service. Or contact us via Bitmessage: BM-[removed by Heimdal Security].
But if you ignore us, and don’t pay within 24 hours, long term attack will start, price to stop will go to 100 BTC and will keep increasing for every hour of attack.
If you think about reporting us to authorities, feel free to try. But it will not help. We are not amateurs. The best thing that can happen, they will go publicly about it. We will, again, get some free publicity. But for you, price will go up.
IMPORTANT: It’s a one-time payment. Pay and you will not hear from us ever again!
In many cases, our “customers” fear that if they pay us once, we will be back and ask for more. That’s not how we work. We never attack the same target twice.
We do bad things, but we keep our word.
The typical pattern for the DD4BC gang is to launch DDoS attacks targeting Layer 3-4, but if this does not have the desired effect, they will/can move it to layer 7 with various types of loop back attacks with post/get requests. The initial attack typically lies on a scale between 10-20GBps. This is rather massive, but often not even close to the real threat.
If a company fails to meet their requests, and if that company doesn’t migrate this attack through various anti-DDoS services, the group will typically move on after 24 hours of a sustained attack. But you shouldn’t count on this pattern to manage your cyber security tactics.
Is your company prepared to deal with a DDoS attack?
Distributed denial-of-service attacks are malicious attempts to render a server or a network resource unavailable to users.
DDos attacks work employ several strategies. Here are some of them:
- Forcing the targeted servers to reset
- Using up the server’s resources so it can no longer provide the service it was meant to deliver
- interrupting or suspending the communication media between the users and the victim of the attack.
The favorite targets of cyber criminals who launch DDoS attacks are high-profile web servers such as banks, credit card payment gateways, and even root nameservers. That’s why DD4BC has been targeting financial institutions all over Europe.
DDoS attacks are, unfortunately, widespread. In 2014, high-profile companies such as Evernote, Feedly, Meetup, Basecamp, Vimeo, Bit.ly, SAY Media/TypePad, Namecheap, Plenty of Fish, Moz and others have become victims of such attacks.
Moreover, the number of attacks has increased:
“The frequency of attacks [in the government and financial services sectors] each grew from 15% in Q4 2014 to represent 18% of all Verisign mitigations in Q1 2015.”
Numbers from Akamai Technologies also support this claim: the number of DDoS attacks it dealt with increased by 35% in Q1 of 2015 compared to the final quarter of 2014.
According to NSFOCUS’s 2014 DDoS THREAT REPORT:
“While 90% of DDoS attacks lasted less than 30 minutes, one attack lasted 70 hours. This shorter attack strategy is being employed to improve efficiency as well as distract the attention of IT personnel away from the actual intent of an attack: deploying malware and stealing data. These techniques indicate that today’s attacker continues to become smarter and more sophisticated.”
And it seems that cyber criminals never take a break:
“As of 2014, the frequency of recognized DDoS attacks had reached an average rate of 28 per hour.”
You can see a live map of top daily DDoS attacks worldwide here:
What you can do to protect your company from DDoS attacks
As a CEO or CISO, we recommend you secure your company’s assets and take proactive measures to counter the possibility of a DDoS attack of this magnitude.
We do not recommend giving into extortion, since previous experiences with this type of cyber criminals show that, while they do move on to other victims, they also tend to return to their previous victims at some point.
In this particular case, we recommend you employ DDoS mitigation techniques, including:
- passing your company’s network traffic addressed to the attacked network through high-capacity networks which employ “traffic scrubbing” filters
- anti-DDoS technology
- anti-DDoS emergency response services
- reducing reaction time to any type of attack by having an emergency cyber response team in place and a cyber security policy to offer a pattern for action.
DDoS attacks are becoming increasingly dangerous, and the DD4BC group is especially serious about their threats.
Their advanced attack techniques make them a serious cause for concern among high-profile companies, so you should spare no effort in counteracting these types of attacks.