Incident Response, TDR

Cyber extortion: To pay or not to pay?

Online criminals' paydays are primarily earned behind the scenes. However, some miscreants are less discrete, preferring to contact their victims to ask for exactly what they want…or else. Extortion isn't new when it comes to the threat landscape, but as of late, it seems as though it's the flavor of the times for saboteurs, especially as cryptocurrency allows for an anonymous exchange in funds. 

A recent spate of distributed denial-of-service (DDoS) attacks involving extortion tactics on small to midsized, but popular, tech firms, including Meetup, Basecamp and possibly Hootsuite, have made headlines. 

In Meetup's case, the company received an email from an attacker asking for $300 or they would knock the social networking portal offline. When it didn't comply, a wave of malicious traffic rendered its services unavailable, causing intermittent outages for days. Basecamp faced a similar scenario, and many security analysts believe Hootsuite did as well. 

One may think, “Why not cough up $300 if you're destined to lose thousands more?” And that is a valid point. These attacks hurt brand reputation, affect customer confidence and could lead to gaining some unwanted media attention. But paying up could lead to even more issues. 

Don Jackson, director of threat intelligence at PhishLabs, a Charleston, S.C.-based security firm that specializes in phishing, malware and DDoS threats, says that attackers depend on victims to not fight back, and those that pay will become a favorite target. 

“We absolutely suggest that targeted organizations do everything they can to avoid impact and recover without paying.” 

Having competent technical teams and all the solution bells and whistles may not be enough as these attacks continue to grow in size. According to a study by Arbor Networks, the average size of DDoS attacks were 20 percent higher in 2013 than in 2012. Based on recent incidents involving massive NTP [network time protocol] reflection attacks, this is a continuous trend. 

Although they are growing in size, Matthew Prince, CEO at CloudFlare, believes that security firms that specialize in DDoS mitigation should do the best they can to lower their costs in an effort to combat these threats. He sees a correlation between the amount being ransomed and the prices these services go for.

“As it becomes less and less expensive to defend against these attacks, that inherently drives down the amount that attackers can ask for,” he said. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.