What is a DDoS Extortion Attack and How do you Respond to it?

DDoS extortion attacks have skyrocketed over the past year and are expected to trend upwards in the future too. DDoS attacks aren’t new threats. However, cybercriminals are leveraging these attacks to extort money from organizations by causing downtimes and preventing legitimate users from accessing the web application. With the global pandemic forcing organizations to adopt remote working, cybercriminals have seized the opportunity to launch unprecedented numbers of DDoS attacks, including DDoS extortion attacks.

In this article, we help you understand what these attacks are and how to respond to them.

DDoS Extortion Attacks, also known as Ransom DDoS (RDDoS) attacks, are attacks where malicious actors extort money from organizations/ individuals by threatening Distributed Denial of Service (DDoS). Similar to DDoS attacks, DDoS Extortions prevent legitimate traffic from accessing the application/ service. This causes significant operational disruptions, financial losses, legal costs and reputational damage.

How do RDDoS attacks work?

Typically, one of three methods is used to carry out RDDoS attacks:

  • The attacker could carry out the DDoS attack and send a ransom note/ email to the organization demanding that they pay the ransom to stop the attack.
  • In some cases, they may initially target a specific element of the organization’s infrastructure to conduct a demonstrative attack to show that the DDoS Extortion threat is legitimate. They will follow this limited attack up with a ransom note threatening a larger attack.
  • In other cases, the attacker may send the ransom note threatening to carry out DDoS. It is possible that the attacker is incapable of carrying out the attack and may well be making an empty threat. However, given the potential consequences of downtimes and crashes, it would not be wise to assume all are empty threats. Most attackers typically conduct pre-attack reconnaissance to identify vulnerabilities and weaknesses to exploit, before issuing the threat.

Whether the ransom note comes before (if the attacker follows through with their threat) or after the attack, DDoS Extortions work like regular DDoS. They overwhelm applications or services with traffic that slows them down or causes a crash, making them unavailable to legitimate users. If the ransom is paid, the attack may stop, or the attacker could come back with additional demands. It is strongly recommended not to pay ransoms.

Recent DDoS Extortion Attacks

Beginning in mid-August 2020, cybercriminals posing as the Fancy Bear (APT 28) and Armada Collective launched RDDoS campaigns demanding bitcoin payment (ranging USD 50,000 – 300,000) to prevent attacks. These DDoS Extortion campaigns were largely targeted at the financial services and travel industry.  Upstream internet transit providers also faced RDDoS attacks.

Most used attack vectors

Attackers used one or more of the following DDoS attack vectors to carry out RDDoS.

  • DNS
  • NTP
  • CLDAP reflection/amplification
  • Spoofed SYN-flooding
  • ARMS
  • WS-DD
  • SSDP
  • GRE and ESP packet-flooding
  • TCP ACK-floods
  • TCP reflection/amplification attacks
  • IPv4 protocols launching packet-flooding attacks

Responding to DDoS Extortion

Should you pay the ransom?


Aside from the fact that ransoms cost monetary losses to the organization, paying a ransom does not guarantee that the attacker will stop their activities. The attacker may not stop the DDoS attack as agreed or may initiate the attack anyway or may come back in the future with additional demands/ subsequent attacks.

Secondly, the DDoS Extortion threat could be an empty threat. This means the organization has paid the attacker for nothing.

Thirdly, ransom payments enable attackers to fund their extortion campaigns better. They could use the money to expand their capabilities, improve attack sophistication or buy advanced technology for improved reconnaissance.

How to Respond?

If the organization receives a ransom note, the first thing to do is to report it to the appropriate law enforcement authorities. They must also engage with peers, transit ISPs and other organizations providing critical internet-facing services (authoritative DNS hosts, etc.).

If you already have an effective DDoS protection from next-gen service providers like Indusface, you can rest assured that your application will be always available, even if the threat actor initiates the attack.

If you do not have any DDoS security controls in place, put safeguards in place to mitigate potential attacks. If you are already under attack, get in touch with a security service provider to stop the attack and minimize the impacts.


Given the unprecedented number of DDoS extortion attacks, the organizations that have fared best are the ones with robust DDoS protection in place. Those without appropriate defense measures have either had to pay ransoms or scramble on D-day/ under threat of impending attack to deploy security controls to minimize the disruptions caused. So, implement effective DDoS mitigation practices and security controls today to nullify the impact of RDDoS.

web application security banner

The post What is a DDoS Extortion Attack and How do you Respond to it? appeared first on Indusface.

*** This is a Security Bloggers Network syndicated blog from Indusface authored by Ritika Singh. Read the original post at: https://www.indusface.com/blog/what-is-a-ddos-extortion-attack-and-how-do-you-respond-to-it/

Similar Posts