The last quarter of 2020 has seen a wave of web application attacks which have used ransom letters to target businesses across a number of industries.


According to research from Akamai, the largest of these attacks sent over 200Gbps of traffic at their targets as part of a sustained campaign of higher Bits Per Second (BPS) and Packets Per Second (PPS) than similar attacks had displayed a few weeks prior.


“Prior to August, the signal vectors had been primarily used to target the gaming industry,” the company claimed. “Starting in August, these attacks abruptly swung to financial organizations, and later in the cycle, multiple other verticals.”


Akamai explained that none of the vectors involved in these series of attacks were new, as most of the traffic was generated by reflectors and systems that were used to amplify traffic. “Seeing a common set of protocols being used as amplifiers in a DDoS campaign is, by itself, an indicator of new tools, or configurations, being used by criminals, rather than an indicator of an extortion campaign,” it said.


However, multiple organizations began to receive targeted emails with threats of DDoS attacks, where this would be launched unless a ransom amount was paid. Richard Meeus, director of security technology and strategy at Akamai, said a small DDoS would be made against the company “to show that they [attackers] were serious, and then there was a threat of a 1Tbps attack if you didn’t pay.”


“Many extortion DDoS campaigns start as a threat letter, and never progress beyond that point,” Meeus said. “In contrast, this campaign has seen frequent ‘sample’ attacks that prove to the target that criminals have the capability to make life difficult.”


Whilst Akamai said many of the extortion emails end up caught by spam filters, not all targets are willing to admit they’ve received an email from the attackers


“This extortion DDoS campaign is not over,” Akamai said, “the criminals behind this campaign are changing and evolving their attacks in order to throw off defenders and the law enforcement agencies that are working to track them down.”


Speaking on a webinar last week, Richard Meeus, director of security technology and strategy at Akamai, said the company had seen the number of attacks per day increase from one million in January of this year to three million in September. “When we look at the specific data points, and look at the last two big spikes, they were both against financial services,” he said.


This campaign peaked in August and September, “and it reached its peak, perhaps when the attackers believed they had been mitigated and began to start changing their tactics.” This included a move to use layer three and four attacks, which are usually targeted at data centers, websites and APIs.


Meeus also said there had been a 200% increase in attacks against web application firewalls, which he was quite surprised by. Meanwhile, “DDoS attacks come in waves” and “ransom attacks have been going on for a number of years and we successfully take down the perpetrators, but they come back again as it is an extortion technique that works.”