Offensive Defense: Using DDoS to Neutralize Ransomware Gangs’ Double Extortion Threat

The cybersecurity industry is abuzz with the news that the ransomware gang REvil was taken offline through a coordinated effort of the US government and unnamed international partners.

It appears that we are seeing the “digital retaliation” President Biden hinted at in July. In elevating ransomware attacks to a priority level in line with terrorism, the US Department of Justice has created a means for infiltrating dark web forums and hacking into ransomware gangs' infrastructure to proactively neutralize the threat they pose.

While this publicized takedown took place last week, IntSights researchers have observed similar activity for the last couple of months, and we have been watching with interest to see how, if at all, it will impact ransomware operators’ tactics over the long term.

Fighting Back

IntSights researchers observed two separate incidents in which cybercrime victims allegedly launched DDoS attacks against their attackers’ websites. In the first instance, the ransomware group LockBit threatened a large, public US company with publishing files containing proprietary company data, after the gang obtained them through an insider-enabled ransomware attack. When the company failed to respond, LockBit launched a DDoS attack against it.

But what happened next was the most interesting: The LockBit site went offline for several days. When it came back online behind basic authentication (user password), speculation arose in the hacker community that LockBit were themselves under a DDoS attack.

Hackers chatting on popular Russian cybercrime forum about the apparent LockBit takedown (redactions by IntSights)

The LockBit infrastructure was unstable for approximately 3 to 4 weeks. This means that all the previously published data in their blog — samples, evidence packs and full archives — were unavailable; no leaks to download.

The second digital-retaliation instance our researchers observed involved the Marketo stolen data black market and a certain US state’s department of military affairs. Marketo started an auction for data belonging to the government entity. At the same time, as they do for every entry in their platform, Marketo published a free evidence pack to prove it had the goods.

As in the LockBit case, the situation quickly changed when Marketo itself came under a DDoS attack. In a published statement, Marketo blamed the government entity for the attack and vowed to publish the critical data on dozens of public, military-oriented forums as well as on Reddit.

This Marketo statement against its DDoS attacker was published on multiple channels including Twitter and Telegram, as well as their own blog and its users’ blogs (redactions by IntSights)

The Rationale of Retaliation

While these DDoS attacks may stop short of the more intrusive activities often associated with private sector hack back, they may be similarly motivated. To be sure, these efforts on the victims’ part have rationale behind them and are not just pure vendetta.

Denying service from dark web servers and websites essentially disarms the hackers. Double extortion attackers threaten to publish victims’ stolen data unless they pay another ransom. They may even sell the data to other malicious entities. In order to do this, they need a platform that corroborates that they are who they claim to be and the data has value. If their site is not available for this purpose, their threat falls flat.

A DDoS attack can only be run for a finite period of time, so it won’t disable the bad actors forever. But if these digital retaliation hacks increase in number, they can become disruptive enough for attackers to go after lower profile targets. Consider nature’s deterrents; if a predator goes after a skunk, he’s going to become the victim of a very stinky spray. Sooner or later, the predator will pursue less combative targets.

Increasingly, organizations are recognizing that the goal of a successful security program is to make yourself more expensive or inconvenient to attack compared to others; in other words, it’s essentially survival of the fittest. DDoSing an attack group to make it harder for them to sell your stolen data is one way to achieve this.

For now, however, these DDoS attacks are inflaming the hacker community. They have been taken by surprise and are shocked that anyone — especially the US Government — dare disrupt their thriving business model. As mentioned above, time will tell whether a regular occurrence of these “offensive defense” activities will alter ransomware gangs’ patterns of extortion.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.