Cyberattackers bury ransom demands in recent DDoS attacks

Click here to get this post in PDF

Image: Getty Images/Westend61

One of the most common, and irritating, cyberattacks — the distributed-denial-of-service (or DDoS) — now has the potential to come with a twist of cryptocurrency mining.

Security researchers with the internet services company Akamai have noticed something unusual as they’ve responded to a spate of recent DDoS attacks. Buried beneath the traffic deluge designed to grind a target’s web traffic to a halt are ransom notes.

“It’s actually like a DDoS attack with a phishing attack with an extortion attack all rolled into one,” said Chad Seaman, a senior engineer with Akamai’s security intelligence response team, in an interview with Fortune. “When we saw it we were like, huh, clever bastards.”

One note shared with Fortune, buried in an otherwise indecipherable string of code, makes a demand for “50 XMR,” or Monero. As of March 3, 2018, that amount of Monero is worth roughly $18,000.

It’s not uncommon for DDoS attacks to come with ransom demands of this sort, though normally such demands are relayed via email or some other means of communication after the attack has been launched. This is more of a “two birds, one stone” approach, linking the two together.

The reasoning is simple. As Akamai told Fortune, ransom notes sent via email often go unseen due to spam protections. Inserting the note into DDoS code ensures that the targets security analysts will see it as they investigate the attack data.

Monero is more attractive to cyberattackers than a cryptocurrency like Bitcoin because it’s more difficult to trace. While both rely on public ledgers for recording and tracking transactions, Monero ledgers hide the sender, recipient, and amount of each transaction.

The inherent anonymity of Monero also means the attackers themselves don’t necessarily know who’s paid up or who hasn’t. That fact alone should discourage any targeted interest from paying up.

Leave a Reply

Your email address will not be published. Required fields are marked *