Offensive Defense: Using DDoS to Neutralize Ransomware Gangs’ Double Extortion Threat
October 25th, 2021
Subscribe to our blog and stay up to date
The cybersecurity industry is abuzz with the news that the ransomware gang REvil was taken offline through a coordinated effort of the US government and unnamed international partners.
It appears that we are seeing the “digital retaliation” President Biden hinted at in July. In elevating ransomware attacks to a priority level in line with terrorism, the US Department of Justice has created a means for infiltrating dark web forums and hacking into ransomware gangs' infrastructure to proactively neutralize the threat they pose.
While this publicized takedown took place last week, IntSights researchers have observed similar activity for the last couple of months, and we have been watching with interest to see how, if at all, it will impact ransomware operators’ tactics over the long term.
IntSights researchers observed two separate incidents in which cybercrime victims allegedly launched DDoS attacks against their attackers’ websites. In the first instance, the ransomware group LockBit threatened a large, public US company with publishing files containing proprietary company data, after the gang obtained them through an insider-enabled ransomware attack. When the company failed to respond, LockBit launched a DDoS attack against it.
But what happened next was the most interesting: The LockBit site went offline for several days. When it came back online behind basic authentication (user password), speculation arose in the hacker community that LockBit were themselves under a DDoS attack.
The LockBit infrastructure was unstable for approximately 3 to 4 weeks. This means that all the previously published data in their blog — samples, evidence packs and full archives — were unavailable; no leaks to download.
The second digital-retaliation instance our researchers observed involved the Marketo stolen data black market and a certain US state’s department of military affairs. Marketo started an auction for data belonging to the government entity. At the same time, as they do for every entry in their platform, Marketo published a free evidence pack to prove it had the goods.
As in the LockBit case, the situation quickly changed when Marketo itself came under a DDoS attack. In a published statement, Marketo blamed the government entity for the attack and vowed to publish the critical data on dozens of public, military-oriented forums as well as on Reddit.
The Rationale of Retaliation
While these DDoS attacks may stop short of the more intrusive activities often associated with private sector hack back, they may be similarly motivated. To be sure, these efforts on the victims’ part have rationale behind them and are not just pure vendetta.
Denying service from dark web servers and websites essentially disarms the hackers. Double extortion attackers threaten to publish victims’ stolen data unless they pay another ransom. They may even sell the data to other malicious entities. In order to do this, they need a platform that corroborates that they are who they claim to be and the data has value. If their site is not available for this purpose, their threat falls flat.
A DDoS attack can only be run for a finite period of time, so it won’t disable the bad actors forever. But if these digital retaliation hacks increase in number, they can become disruptive enough for attackers to go after lower profile targets. Consider nature’s deterrents; if a predator goes after a skunk, he’s going to become the victim of a very stinky spray. Sooner or later, the predator will pursue less combative targets.
Increasingly, organizations are recognizing that the goal of a successful security program is to make yourself more expensive or inconvenient to attack compared to others; in other words, it’s essentially survival of the fittest. DDoSing an attack group to make it harder for them to sell your stolen data is one way to achieve this.
For now, however, these DDoS attacks are inflaming the hacker community. They have been taken by surprise and are shocked that anyone — especially the US Government — dare disrupt their thriving business model. As mentioned above, time will tell whether a regular occurrence of these “offensive defense” activities will alter ransomware gangs’ patterns of extortion.
Yotam Katz is a knowledge expert in operational cyber intelligence. In his current role as Threat Intelligence Product Manager at Rapid7, Yotam is responsible for identifying new and significant trends and threats in the cybersecurity landscape, and adapting and developing the product accordingly. Previously he held the role of Intelligence Team Leader, leading short- and long-term research on global, sectoral, and regional cyber threat trends. Prior to Rapid7 and IntSights (now a Rapid7 company), Yotam served as Lieutenant - Intelligence Corps in the Israeli Defense Forces, where he specialized in intelligence and cyber-intelligence gathering, and technological adaptation. In 2020, Yotam was presented with the Israel Defense Prize as a team leader. He was also awarded the “Life Source” award for cyber-operations in 2019, and two “Exceptional Officer” awards, one in 2018 and one in 2016.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.