A group of threat actors calling themselves DD4BC has been attempting to extort money from financial companies and other business by threatening to hit them with massive distributed denial of service attacks (DDoS), content delivery vendor Akamai said in a report published today.
The group has been active since at least September 2014, but appears to be ratcheting up its operations and going after a broader cross section of targets. Since April 2015, the group has hit at least 114 Akamai customers with DDoS attacks, with an average peak bandwidth of around 13.34 Gbps.
The largest of the attacks that Akamai observed generated over 56.2 Gbps of traffic. At the height of the group’s activity in June, Akamai mitigated at least 8 DDoS attacks that had peak bandwidths of more than 23 Gbps.
In DDoS attacks, threat actors use botnets to direct large volumes of useless traffic to a target network with the intention of overwhelming it. Generally, the higher the sustained peak bandwidth of a DDoS attack, the more potential it has to knock a website offline or make it completely inaccessible from the outside.
With DD4BC, the attacks were preceded by emails from members of the group that have attempted to extort money from the targets, Akamai found. Victims were first informed that a low-level DDoS attack would be launched against their site if they did not pay a specific ransom amount in Bitcoins within a particular time period. The emails included details on how and where the victims would pay, and included a promise not to target them again if they complied.
Messages that were ignored were quickly followed with more ominous threats about bigger DDoS attacks and higher ransom amounts.
Samples of the threatening emails posted by Akamai show that the ransom amounts demanded by the group were relatively modest, ranging from 25 Bitcoins to 50 Bitcoins, or between $6,000 and $12,000 at current currency exchange rates.
"Your site is going under attack unless you pay 25 Bitcoin," one email stated. "Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don’t even bother."
The email goes on to inform the target that a low-level DDoS attack was being launched against it to demonstrate the seriousness of the threat. The attackers promise never to threaten the victim again if the ransom is paid up: "We do bad things, but we keep our word."
Subsequent emails warn the victim against ignoring the ransom demand. "And you are ignoring us. Probably because you don’t want to pay extortionists. And you believe that after sometime we will give up. But we never give up," the follow-up messages read.
Lisa Beegle, manager at Akamai’s Prolexic Security Engineering & Research Team (PLXsert) describes DD4BC as a dangerous group. "This group has definitely followed through" with its threats, Beegle says. "If an organization gets a note [from DD4BC], they should take it seriously," she says.
Beegle says it’s difficult to know for sure how many organizations have paid the ransom demanded by DD4BC. But it is likely that at least a few of them have complied with the demands, she says.
From the size of the attacks that Akamai has observed, it’s highly unlikely that DD4BC has the ability to launch the 400 to 500 Gbps attacks that the group mentions in its extortion emails, Beegle notes.
At the same time, the average peak attack bandwidths achieved by the group are enough to overwhelm many websites, she says. "The average organization has a 10 Gbps pipeline," Beegle says. "So a 13 GBPs attack would exceed their bandwidth capacity."
Financial services firms were targeted in 58 percent of these attacks. Of that number, banks and credit unions accounted for 35 percent of the attacks, 13 percent involved currency exchanges while the rest were payment processing firms, according to Akamai.