DD4BC cyber extortion gang targets key European sectors

A gang using DDoS attacks to extort bitcoins is now targeting high-profile organisations in key sectors in Europe

A gang using distributed denial of service (DDoS) attacks to extort bitcoins is now targeting high-profile organisations in key sectors in Europe, prompting government advisories.

This is line with the trend of criminal gangs repurposing DDoS attacks that were initially intended to knock organisations offline by flooding them with network traffic.

But cyber criminals are increasingly using DDoS attacks as a smokescreen to hide other activities, such as the theft of data or money and for extortion.

Extortion gang DD4BC (DDoS for bitcoins) looks set to take this form of attack to a new level, threatening financial and energy sector firms with unprecedented volumes of malicious traffic.

Financial institutions recognise that all persistent cyber criminal groups could pose a threat as they and their customers increasingly come under attack.

“By default, we take all kinds of cyber crime seriously. Also crime from groups like DD4BC. We are working closely with law enforcement in various jurisdictions to make sure they have a clear picture of what we see and face,” said Troels Oerting, group chief information security officer at Barclays and former head of Europol’s European Cybercrime Centre (EC3).

“We take the necessary steps to prevent, detect, react and mitigate all kinds of cyber crime we face, and that is simply the way we work. We take our customers and employees' privacy and security very seriously and will continue to do our utmost to protect the bank,” he told Computer Weekly.

Prepare for DDoS attack

The UK and Swiss computer emergency response teams (Certs) both issued guidance recently after DD4BC started targeting financial institutions.

The gang emerged in 2014 when it began targeting low-level bitcoin exchanges, entertainment websites, online casinos and online betting organisations.

Other recent targets have included organisations in the oil and gas, retail and technology sectors in Europe, New Zealand and Australia, according to communications and analysis firm Neustar.


“This is a very serious threat and critical issue for organisations that depend on connectivity and their web servers and websites to operate,” said Neustar product marketing director Margee Abrams.

Don Smith, technology director at Dell SecureWorks, said: “To date, Dell SecureWorks’ experience indicates that DD4BC certainly has the capability to conduct a sustained moderate DDoS attack and, as we have seen with other DDoS incidents, these can be extremely interruptive to an organisation’s business and processes.”

“If you haven’t prepared for a DDoS attack, there is very little you can do at the time other than wait it out. Often, it will be over by the time you have put any useful technical mitigations in place. Preparation is critical,” he said.

Smith said organisations should not pay extortion demands, even if it appears the least costly option in the short run, and they should ensure they have a fully tested DDoS incident response plan and mitigation solution in place prior to a DDoS incident occurring.

A Neustar survey report published in March 2015 revealed that DDoS attacks could expose 40% of UK businesses to losses of £100,000 or more an hour at peak times. The survey also revealed that the financial sector reported the highest level of multiple DDoS attacks, with 79% reporting six or more DDoS attacks a year, compared with the cross-industry average of 20%.

DDB4 initially targeted organisations that are less likely to work with law enforcement agencies and more likely to pay than financial institutions, said Abrams. “Unfortunately, when they are successful, they keep doing it,” she told Computer Weekly.

The New Zealand National Cyber Security Centre (NCSC) has also issued a security advisory that several organisations have received extortion emails threatening a sustained DDoS attack unless a payment is made.

Governments issue advisories about DD4BC

Cert-UK has confirmed that is monitoring DD4BC’s activities and that it issued an advisory through the government’s Cyber Security Information Sharing Partnership (CISP) but gave no details or any indication if organisations in the UK have been targeted by DD4BC.

But according to the Swiss computer emergency response team, GovCert, several high-profile organisations in Switzerland had been targeted by DD4BC.

“Of particular concern is the fact that DD4BC is likely to be using botnets-for-hire, which means it is very easy and inexpensive for them to carry out these attacks,” said Abrams.

The gang typically carries out short, low-volume DDoS attacks of 4Gbps to 30Gbps to block public access to the organisation’s website. The gang then demands payment of 15 to 100 bitcoins (£2,200-£15,000), threatening to step up the DDoS attack to 500Gbps if payment is not made.

GovCert said the DDoS attacks usually start with network time protocol (NTP) (port 123 UDP (user datagram protocol)) and simple service discovery protocol (SSDP) (port 1900 UDP) amplification attacks targeting the victims’ public website, taking advantage of millions of insecure or misconfigured devices around the world.

DD4BC then moves to TCP SYN flooding and layer 7 (application layer) attacks to bypass mitigation measures taken by the internet service provider (ISP).

Taking advantage of amplification attacks by abusing the NTP, SSDP or DNS protocol, GovCert said the attackers are, in theory, able to carry out their threats of launching DDoS attacks consuming bandwidth of up to 500Gbps, which is about a thousand times more than a standard DSL cable is able to handle.

However, GovCert and Neustar said they have not yet seen DDoS attacks by DD4BC of greater than 30Gbps.

Anti-DDoS measures make a difference

GovCert notes that because the attacks in Switzerland have been against high-profile organisations, most of them already have anti-DDoS systems in place and backup scenarios prepared.

“We are currently not aware of any victims in Switzerland where the DDoS has caused a significant impact on the business of the targeted organisation,” said GovCert spokesman Max Klaus.

“However, there might be some targets that are not prepared for such an attack. We therefore urge potential targets, such as online shops and financial institutions, to make sure that anti-DDoS solutions are in place and are working as expected,” he told Computer Weekly.

“Even though there are attackers that are able to launch attacks with quite big bandwidth or requests, we are convinced that organisations that are well prepared have a good chance of withstanding such attacks,” he said.

Organisations that are well prepared have a good chance of withstanding DDoS attacks

Max Klaus, GovCert

Arbor Networks said financial sector targets and their ISPs and managed security service providers (MSSPs) have generally moved quickly to successfully mitigate the DD4BC DDoS attacks.

This is mainly due to the fact that DD4BC is using well-known DDoS attack methodologies such as NTP, SSDP, SYN-flood and WordPress XML-RPC reflection/amplification attacks.

“The WordPress reflection/amplification attack, first described in early 2014, seems to be the latest addition to their repertoire,” said Roland Dobbins, a principal engineer on Arbor’s security engineering and response team (Asert).

GovCert has advised organisations targeted by DD4BC not to pay any ransom, but to talk to their ISP to discuss mitigation techniques, such as IP-based rate limiting.

The Swiss Cert also notes that because most websites are hosted on servers that are only running a web service, there is no reason to allow any UDP traffic to the web server.

GovCert said organisations should consider dropping any UDP traffic at the organisation’s or its ISP’s network edge.

Any organisation hosting critical infrastructure on the same network as its website should consider moving the website to a different network or to an anti-DDoS service provider, GovCert said.

Oerting said the Barclays’ cyber defence strategy is to have the right and updated defence and control procedure in place and by working closely with peers in the industry and relevant law enforcement agencies.

“That co-operation is working very well and continues to improve. Banks are, unfortunately, not the only ones in the hair-cross of cyber criminals, and the commodity today is not ‘only’ money, but also digital identities, intellectual property, strategies, sensitive documents, email correspondence and so forth,” he said.

According to Oerting, every individual or company using the internet should be alert and take necessary precautions to protect themselves.

“There is no absolute security in the physical world or in the virtual, but we try to minimise the risk of penetration every day and adapt to new threats quickly,” he said.

Abrams said the most efficient way to deal with these attacks is to be able to redirect attacks to a cloud-based anti-DDoS service provider with the necessary network capacity and filtering capabilities.

“If organisations wait until they are in a crisis, they risk being offline for as much as a day, which can be very costly to businesses dependent on being online,” she said.

Report DD4BC cyber attacks

Both Cert-UK and GovCert recommend that any organisations targeted by DD4BC should file a criminal complaint with local law enforcement organisations. Cert-UK said UK organisations should also report any DD4BC attacks to the CISP.

GovCert said it is not aware of any organisations in Switzerland that have complied with the demands of attackers. However, the organisation noted that there is no mandatory reporting in Switzerland regarding cyber attacks.

Lessen the impact of a DDoS attack

According to the NCSC security advisory, preparation is the most effective method of withstanding a DDoS attack. However, it said if an organisation is being targeted, there are a number of measures it can consider taking to reduce the impact of the attack:

  • Contact the ISP to discuss their ability to help manage or mitigate the attack.
  • Where applicable, temporarily transfer online services to cloud-based hosting providers that have the ability to withstand DDoS attacks.
  • Use a denial of service mitigation service for the duration of the DDoS attack.
  • Disable website functionality or remove content that is being specifically targeted by the DDoS attack.

Abrams said there needs to be more focus on being able to trace the origins of DDoS attacks so that law enforcement is better able to do something about it.

“Attribution is still a struggle, but in the meantime it is very important that organisations identify what their critical servers and assets are, and be prepared to defend them by having a well-defined and well-practised plan for mitigating DDoS attacks,” she said.

A Ponemon Institute study has revealed that while 55% of financial services firms consider distributed denial of service attacks an advanced threat, only 48% say they are effective in containing DDoS attacks and only 45% have established threat-sharing agreements to minimise or contain the effect of DDoS attacks.

How to defend against DDoS attacks

According to Dell SecureWorks, damage from a DDoS attack can be reduced, given proper preparation, which should include:

  • Always prepare a DDoS incident response plan in advance.
  • Have a public communication strategy. How this is approached will vary by organisation, but it is important from a reputation and public image perspective to ensure that one’s customers understand the difference between a service outage, due to DDoS attack, and the company being hacked.
  • Assess the effect of a DDoS attack on your assets/services in terms of business criticality. Consider dependencies, not just the headline services.
  • Have a contract in place with a DDoS mitigation service provider before the incident happens.
  • Consider having a retainer in place with an incident response and threat intelligence provider to support your in-house response and provide you with wider visibility on the threat actor, their tactics and procedures. 
  • War game DDoS incidents before they happen. 
  • Do this properly. Get all relevant stakeholders involved. This isn’t just an IT problem.
  • Business decisions are critical during an attack. They need to guide the technical response.
  • Communication is critical. During an attack things can get chaotic quickly if not managed.
  • Make changes to the plan based on the lessons learned.

Read more on Hackers and cybercrime prevention