DDoS Extortion Attacks Are Driving Security Risks in 2021

Akamai and Equinix provide an interconnected, real-time detection and mitigation solution

Vaughn Eisler
DDoS Extortion Attacks Are Driving Security Risks in 2021

In May of 2020, Akamai and Equinix launched a jointly developed cloud-based, interconnected DDoS detection and mitigation solution that helps organizations quickly and easily connect to Akamai’s Prolexic global DDoS service via Equinix Fabric™, enabling businesses to thwart DDoS attacks in real-time.

Almost a year later, we’ve seen increased adoption of our joint solution, mainly as a result of DDoS extortion attack trends and activity. DDoS attack campaigns are once again a classic threat actor motivator and are still making headlines and disrupting organizations globally – well into 2021.

Protect against a range of DDoS attacks with Akamai Prolexic

The Akamai Prolexic cloud-based DDoS scrubbing platform protects enterprise IP space wherever it is deployed, whether in a private data center, the public cloud, or a colocation facility such as Equinix.

Download More
DDoS facts image Akami

The DDoS extortion campaign felt around the world

As a quick refresher, beginning mid-August 2020, threat actors posing as the notorious Fancy Bear (APT 28) and Armada Collective[i] launched global DDoS extortion campaigns (similar to the ones witnessed in fall of 2019)[ii] demanding Bitcoin payment to prevent an impending attack. Extortion payments are reportedly ranging between five (~$50K) to thirty (~$300K) Bitcoin[iii] depending on the demands of the particular criminal ring. Additionally, the attackers have been conducting a reconnaissance of victim environments to identify subnets and IP space that could be vulnerable to DDoS disruption and are less commonly targeting web urls. In certain instances, DNS servers have been part of the attacked infrastructure.

While the financial sector was the primary target for extortion, the campaign quickly expanded to include thousands of organizations globally[iv] across pharmaceuticals, healthcare, retail, oil and gas, travel and hospitality, logistics, airlines and high-tech industries ꟷ just to name a few. In many cases, victim organizations experienced show-of-force attacks that accompanied the initial extortion letters typically in the 20-50 Gbps range, with one reaching 100 Gbps, proving that the threat of an impending attack was real. Upon reaching the threatened extortion payday deadline, a European online-gambling organization was targeted by DDoS attacks upwards of 800+ Gbps.[v]

These criminal actors have even threatened permanent DDoS attacks[vi] for non-compliance with one group claiming 2 Tbps attack capabilitiesi against victim infrastructure. As with many DDoS campaigns, those behind these attacks are adapting their tactics and techniques by changing attack vectors, requiring more robust mitigation to prevent business-impacting downtime, especially if defensive controls were not previously in place.

Let’s take a quick look at how one Equinix customer, impacted by the extortion campaign, was able to rapidly deploy Akamai Prolexic DDoS mitigation controls using Equinix Fabric to quickly connect to the Akamai Prolexic solution.

Equinix and Akamai technology partnership enables rapid customer relief

It all started when one of Equinix’s customers, an international investment holding company, was hit with a DDoS extortion show of force attack that took their email servers completely offline. Unable to conduct business critical functions and with communications grinding to a halt, the company immediately reached out to Akamai to discuss emergency integration options for Prolexic DDoS defenses to restore service availability. Upon further consultation with the Prolexic team, it was uncovered that the customer already had a preexisting relationship with Equinix, making direct connectivity to Akamai Prolexic Connect via Equinix Fabric the quickest and easiest solution to access world class cloud-scrubbing protection and immediate relief.

With every second counting, it was imperative to enable an optimized defensive posture to stop the attack as quickly as possible, while reducing the customer’s overall DDoS attack surface and risk. The enhanced interconnectivity option enabled by Equinix Fabric to the Akamai Prolexic platform allowed a virtual appliance to be spun up and DDoS service to be turned on in less than one hour. This was faster than if the service provider were to use traditional Generic Routing Encapsulation (GRE) tunnels – to quickly deploy DDoS protection across the customer’s entire internet-facing environment.

While the financial sector was the primary target for extortion, the campaign quickly expanded to include thousands of organizations globally...”

 

A solid offense needs a solid defense against DDoS attackers

Our technology partnership and interconnected solution with Akamai Prolexic allows Equinix customers to directly connect to the Prolexic platform, eliminating overhead and bandwidth constraints associated with moving traffic through multiple GRE/ IPsec tunnels, a common approach for returning clean traffic to customer origins. This is important, as capacity is needed to effectively mitigate large-scale DDoS attacks that oftentimes exceed the connected bandwidth that even most enterprises contract/purchase or deploy to run their business. This means such limitations could be devastating for most companies under a major attack.

And in the wake of the largest extortion campaign ever launched globally, it’s important to recognize that enterprises that don’t have DDoS mitigation defenses in place will be left with two choices – pay the ransom (which the FBI strongly warns against) or scramble to deploy security controls to minimize potential disruption. At the end of the day, the best time to implement DDoS security controls and reduce risk is during peacetime, not when an organization is experiencing a DDoS event or under the threat of impending attack. By leveraging the technology partnership between Equinix and Akamai Prolexic, our customers can do just that – proactively access world class DDoS mitigation via Equinix Fabric.

To learn more read the Equinix/Akamai Solution Brief.

 

[i] Akamai Blog, “Ransom Demands Return: New DDOS Extortion Threats From Old Actors Targeting Finance and Retail,” August 17, 2020,

[ii] Akamai Blog, “Fake Cozy Bear Group Making DDOS Extortion Demands,” November 15, 2019.

[iii] Security Boulevard, “Akamai Identifies Copycat DDoS Extortion Rings,” by Michael Vizard on August 21, 2020.

[iv]FBIFlash, “Cyber Criminals Claiming to be Fancy Bear Conduct Ransom Denial of Service Attacks

Against Financial Institutions, Other Industries Worldwide,” August 28, 2020.

[v] Akamai Blog, “2021: Volumetric DDOS Attacks Rising Fast,” by Tom Emmons, March 31, 2021.

[vi] Dark Reading, “New Campaign Combines Extortion, DDoS,” by Curtis Franklin Jr., August 8, 2020.

The enhanced interconnectivity option enabled by Equinix Fabric to the Akamai Prolexic platform allowed a virtual appliance to be spun up and DDoS service to be turned on in less than one hour.”
Vaughn Eisler
Vaughn Eisler Director, Business Development, Security and Storage