Everything You Need to Know About Ransom Web Attacks

The Internet is one enormous network composed of smaller networks that interact to share information between dispersed locations on the planet. This particular model has the advantage of opening us up to one another and shrinking the world to an incredible degree. The disadvantage is that the way the infrastructure is set up makes it vulnerable to attacks that can overpower one node’s ability to transmit messages. This is how distributed denial of service (DDoS) works.

There are many reasons why people execute such attacks, but a recent trend has emerged in which attackers are now asking for remuneration with the promise that the attacks will stop once the payment is made. To better understand how to stop ransom web attacks, we will need to dive into the minds of the attackers and understand how they differentiate themselves.

Think of a ransom DDoS attack as a kidnapping. The perpetrator has taken something of value from the victim and asks for compensation, promising restitution of what was lost. In this case it’s not a human being kidnapped but the ability for a web service to operate. Attacks often happen on websites, but they could also bring down any other service that uses the Internet. Some of the worst attacks could take down a service, even if the port attacked is closed simply because the infrastructure becomes overloaded by an excessive amount of incoming traffic. Lighter attacks may be more effective on an open port (i.e. a port that is actively “listening” for traffic because a service runs on it, such as port 80 for HTTP).

Unlike ransomware, which kidnaps your computer from you, a ransom attack robs you of your ability to provide services over the Internet. If your computer (as opposed to a remote server) is the target of the attack, you also lose the entire ability to communicate or browse on the Web. For major companies this may create losses that amount to more capital than what they would spend paying the ransom, which is why they may give in to the demands.

ransomattack-ransom

A ransom attack, as opposed to hacktivism, does not have any ulterior motive other than short-term profit. While hacktivists may be attacking a server for a cause (such as the October 2015 attacks on allegedly racist websites), ransom attackers will be satisfied only by a lump sum of cash. Hacktivism can be more severe in most cases since the duration of their attacks can be much longer. Despite the distinction I have outlined, the two groups may overlap. Hacktivists can sometimes ask for ransom, although the “reward” may not be in the form of monetary gain but a change in policy or some sort of other measure. Such was the case when Canadian intelligence services were threatened by Anonymous in mid-July 2015.

ransomattack-servers

As I mentioned earlier, ransom attacks can cause significant losses during the outages. The longer the attack lasts, the more tempting it is for the target to pay the ransom to cut their losses. This is a flawed way to do things and puts the victim at a more vulnerable position considering there is no guarantee that the attackers will keep their word. Such was the case in November 2015 when a Swiss firm called Protonmail that provided encrypted email services paid the ransom and the attacks continued. The payment simply motivates the attackers to press harder and try their luck again by adding more demands to the table.

The best way to solve the issue is to wait until the attackers move onto another target (which usually happens after they realize they’re not going to get what they asked for). If this is unacceptable, perhaps you should be running your web services on a load balancing infrastructure which will help maintain traffic flow while the main server is attacked. You could use a service like CloudFlare or Incapsula to make sure that addresses are filtered and no attacker knows your website’s actual IP address.

Do you have any other suggestions for victims of ransom Web attacks? Let us know in a comment!