Ransom payments finance and strengthen DDoS attack infrastructure

19.11.2015 - Extortion is currently a popular method used by cybercriminals seeking rapid financial gain. Different types of attack are used as leverage to extract money from a victim, including DDoS attacks, which disrupt the availability of websites and online services. MELANI has reported several times this year on such attacks and the associated extortion by the Armada Collective and DD4BC groups, which attracted media attention in Switzerland. MELANI strongly advises against agreeing to the blackmailers' demands.

DDoS attacks have been a well-known phenomenon for quite some time. Previously, the motivation behind them was mostly political activism or damaging competitors. This year, however, attacks that were motivated purely by financial purposes became more frequent. The perpetrators selected mainly companies whose business model relies heavily on website availability and which thus have the corresponding potential to be blackmailed. Under pressure from the threat of their website being inaccessible and in the hope of finding a "quick" solution, some companies consider paying. Payments not only make the perpetrators' extortion efforts a success, they also provide them with funds to strengthen their attack infrastructure and step up their attacks. Attackers often use booter or stresser services, which provide DDoS attacks as a paid service, i.e. DDoS-as-a-service attacks. The more money an attacker has available, the greater the volume of attacks (in terms of intensity as well as duration) that can be acquired from such a service provider. If no ransom payments are made, the criminals' business model falls to pieces. MELANI advises against making ransom payments for the following reasons: 

  1. There is no guarantee that the attack will be stopped when the ransom is paid.
  2. There is no guarantee that the attack will not be repeated under another pretext or under the label of another group.
  3. Paying the ransom reveals one's own weaknesses and entices the attacker to try out other vectors of attack on the same victim.
  4. Cyber criminals are well organised. Word gets around quickly if a victim is willing to pay, and the probability of other groups also launching attacks increases accordingly.
  5. Payments finance and strengthen the criminals' attack infrastructure. They can afford a better attack infrastructure with the money earned. The next attack will thus be more severe. Consequently, the cost of successfully defending against such an attack goes up.
  6. Payments strengthen the attackers in their approach. The motivation to continue increases.
  7. The ransom money paid is not available to finance appropriate protective measures. 

Paying the ransom money is thus a short-term way of treating the symptoms at best and without any guarantee of relief. This will not contribute to the long-term resilience of the payer's infrastructure or of online security against DDoS attacks. Quite the contrary. The strengthening of the attackers financially gives them more opportunities for longer and more serious attacks, and the payer's own resilience as well as that of all other participants is consistently weakened in relation to the attackers.

In the event of extortion, MELANI recommends reporting the case to the local police.

We have summarised preventive measures for countering DDoS attacks in a checklist. Ideally, a company addresses the DDoS problem within the framework of general risk management at Executive Board level before an attack occurs, and establishes a certain degree of preparedness for DDoS attacks at operational level. Any organisation can be hit by a DDoS attack. Talk to your internet provider about your needs and appropriate precautions:

For a technical overview of these cases, please visit the blogpost of GovCERT.ch, which was also published today:

Additional links: 

Specialist staff
Last modification 19.11.2015

Top of page