Travelex didn’t pay the ransom this time and instead weathered a DDoS attack the hackers launched as a sort of warning shot and then a second barrage. “Whoever’s behind this probably thought that Travelex must be a soft target based on what happened at the beginning of the year,” says Greg Otto, a researcher at Intel471. “But why would you hit a company that has probably gone through the effort to shore up their security? I understand the logic, but also I just think there are holes in that logic.” Travelex did not return a request from WIRED for comment about the August extortion attempt.
Extortion DDoS attacks have never been especially profitable for scammers, because they don’t have the visceral urgency of something like ransomware, when the target is already hobbled and may be desperate to restore access. And though this has always been a weakness of the strategy, the threats are potentially even less potent now that robust DDoS defense services have become widespread and relatively inexpensive.
“Generally speaking, DDoS as an extortion method isn’t as profitable as other types of digital extortion,” says Robert McArdle, director of forward-looking threat research at Trend Micro. “It’s a threat to do something as opposed to the threat that you’ve already done it. It’s like saying, ‘I might burn your house down next week.’ It’s a lot different when the house is on fire in front of you.”
Given the spotty effectiveness of extortion DDoS, attackers are invoking the notorious state-backed hacking groups in an attempt to add urgency and stakes. “They’re fear-mongers,” says Otto. And the attacks likely work at least occasionally, given that attackers keep returning to the technique. For example, Radware noted that in addition to impersonating Fancy Bear and Lazarus Group, attackers have also been going by the name “Armada Collective,” a moniker that extortion DDoS actors have invoked numerous times in recent years. It’s unclear whether the actors behind this incarnation of Armada Collective have any connection to past generations.
Though most organizations with resources for digital defense can protect themselves effectively against DDoS attacks, researchers say it’s still important to take these threats seriously and actually invest in strong protections. The FBI reinforced this message in a bulletin at the beginning of September about actors pretending to be Fancy Bear. It reported that at the beginning of August, thousands of institutions around the world began receiving extortion notes.
“Most institutions that reached the six-day mark did not report any additional activity or the activity was successfully mitigated,” the FBI wrote. “However, several prominent institutions did report follow-on activity that impacted operations.”
While the attacks may not be as crippling for most targets as ransomware can be, they still pose a nagging threat to organizations that don’t have adequate DDoS defenses in place. And with so many other types of threats to navigate, it’s easy to imagine that the scare tactics could work often enough to make it all worth attackers’ while.
This story originally appeared on wired.com.
