State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Increase in DDOS Extortion Attempts

NJCCIC Alert

Original Release Date: 1/28/2021

Summary

The ransomware group, Avaddon, is using distributed denial-of-service (DDOS) attacks as a secondary extortion tactic in order to pressure victims into paying the demanded ransom. The use of this tactic was first observed by SunCrypt and RagnarLocker ransomware threat actors in October 2020. Avaddon claims that they will continue the attacks until the victims begin to negotiate demands. The group has also been observed threatening to publicly release the victim’s stolen data as a tertiary pressure tactic.

A separate DDOS campaign was discovered by Radware researchers in which previous victims of a DDOS extortion campaign, first seen in August 2020, are being actively targeted again. Beginning the last week of December 2020, the threat actors sent extortion emails to past victims threatening another DDOS attack if ransom demands of approximately 5-10 bitcoin were not paid. Researchers assess with high confidence that this is the same threat actor from the August 2020 campaign and believe that they are motivated by the rise in Bitcoin value, viewing the repeat victims as easy targets.

Quarter over quarter, DDOS attacks have increased in both quantity and scale, with researchers predicting steady growth for the foreseeable future. Threat actors recently began launching DDOS attacks by heavily abusing Windows Remote Desktop Protocol (RDP) systems where RDP authentication is enabled on UDP/3389. Though the technique was initially only used by advanced threat actors, this vector is now being used by DDOS booter/DDOS-for-hire groups. Since December 2018, five other DDOS amplification sources have been identified, which include the  Constrained Application Protocol (CoAP), the Web Services Dynamic Discovery (WS-DD) protocol, the Apple Remote Management Service (ARMS),  Jenkins servers, and Citrix gateways.

Recommendations

The NJCCIC suggests administrators conduct an inventory of internet-facing services, prioritizing those that need protection from DDOS attacks; keep software and firmware up to date; and implement secure coding practices to both minimize risk and ensure the application’s components perform efficiently. We also advise organizations to procure DDOS mitigation services through their internet service provider (ISP). Additional mitigation techniques can be found in the NJCCIC Advisory DDOS Attack Types and Mitigation Strategies.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.