What is a RDDoS (Ransom Distributed Denial of Service) Attack?

Ransom distributed denial of service attacks (RDDoS) are extortion-based distributed denial of service (DDoS) cyberattacks that are motivated by financial gain. With RDDoS, cybercriminals threaten to launch an extended DDoS attack unless the target pays a ransom before a specified deadline.  

RDDoS should not be confused with ransomware (or other types of cyberattacks) — even though the two attacks share the word “ransom” and may seem similar. The difference is that, in a RDDoS cyberattack, cybercriminals do not need access to the company’s systems or network. Also, RDDoS campaigns don’t attempt to encrypt files or lock users out of systems; instead, they focus on knocking business-critical websites, networks, services, and other vital infrastructure offline unless the cybercriminal’s demands are met.

RDDoS attacks are a version of DDoS but used for the sole purpose of financial gain. Where DDoS attacks may be motivated by many different reasons such as hacktivism, publicity, ill will, the perception of a new challenge, or other hacker whims, RDDoS campaigns only focus on profiting from ill-gained ransoms.  

RDDoS attacks first started in the 1990s. But at that time, the overall risk was relatively low since most companies had other channels for continued sales during an attack. The world of e-commerce and online shopping was still new enough that the majority of retailers still did the bulk of their sales in physical brick-and-mortar stores. This meant they could weather the storm if their website went down briefly without the loss of significant revenues and profits. 

Some of the most high-profile RDDoS attacks occurred in the mid-2010s, when cybercriminal groups such as DD4BC (“DDoS for Bitcoin”), Armada Collective, Lazarus Group, Cozy Bear and others started to carry out a number of increasingly sophisticated RDDoS attacks. They succeeded often enough to spur the emergence of even more copycat groups and individual cybercriminals.

Unfortunately, this means that RDDoS is here to stay. According to researching findings from Neustar in its “Cyber Threats and Trends Report,” there was a 150% increase in the number of DDoS attacks in the first half of 2020 as compared to the same period in 2019. The same trends are true for RDDoS.

A typical RDDoS attack starts with an email sent to a victim warning them that a DDoS attack will occur unless a certain amount of Bitcoin is paid as a ransom by a specific deadline. Actual ransom demands have ranged from hundreds of dollars to millions — and could soon creep higher.  

The criminals may make claims about their capabilities or past track record to further convince victims that they are capable of pulling off a devasting DDoS attack. For example, many groups have threatened attacks in the 400-500 Gbps range, and one even encouraged the victim to research “New Zealand DDoS attack” to see how they had successfully taken down the New Zealand stock exchange.

After sending the email, the cybercriminal group may initiate a brief, smaller-scale DDoS attack to prove they’re not bluffing and can actually carry out the threat.  If and when they do launch a full DDoS attack, the cybercriminals may take control of several internal computers and harness them as a botnet to launch the attack. Botnets are also available for purchase on the dark web — for as little as $100-$150 — making it extremely easy and cost effective for cybercriminals to launch DDoS attacks.  

Most cybersecurity experts don’t believe that it is a not a good idea to pay RDDoS ransoms. First, payment only contributes to criminals’ success, which in turn may lead to an increase in these types of cyberthreats.

Additionally, there have been a number of cases where the ransom was paid, yet the RDDoS attack was not lifted. One of the most infamous examples of this occurred in 2015, when the cybercriminal group Armada Collective launched a RDDoS attack against email service provider ProtonMail. Despite paying the ransom, ProtonMail continued to suffer from what were often even more sophisticated DDoS attacks.

One other reason: in many cases, cybercriminals sent the same Bitcoin wallet ID to many different organizations for their ransom demands. This meant that the cybercriminals had no way of knowing which victims had actually paid the ransom. This demonstrated that the threat actors had no real intention of ceasing their attacks — or even worse, could return and perform other RDDoS attacks since they couldn’t tell which companies had paid in the past.   

Unfortunately, RDDoS attacks can’t be prevented since threat actors are unpredictable in who they target, as well as the fact that these types of attacks don’t require a breach or access to a company’s assets. However, companies can take proactive cybersecurity measures, such as having comprehensive backup and disaster recovery strategies as well as a commitment to a larger cyber resilience program.   

Interested in learning more about a wide array of cyberthreats and how you can take the most advantageous steps to defend against them? Download our white paper, “Cyberattack Techniques and What They Mean for Your Business” today.