Over the past week, it has become clear that attackers are seizing the memached DDoS attack vector as an opportunity to extract payments from attacked companies. Akamai reported that a group of DDoS attacks executed using memcached servers were different to the others. Rather than hitting targets with UDP packets comprised of random data, one group is leaving short messages inside the packets. The message demands that victims pay 50 Monero (around $17,000) to a Monero wallet. The group doesn’t explicitly say it will then end the attack, but implies that payment would end it.
These kinds of RDoS (ransomware DDoS) attacks first appeared in 2015 and were initially called DDoS-for-Bitcoin after the group, DD4BTC, who spearheaded such tactics. The group would send an email to a company, warning that they would launch a DDoS attack unless a ransom fee was paid. This group who primarily targeted the online gaming industry, was arrested in early 2016 in a joint effort by law enforcement agencies in Austria, Bosnia and Herzegovina, Germany and the United Kingdom with Europol. Businesses that paid the ransom found that they were frequently re-targeted for a higher amount.
Other factions followed, such as Armada Collective or XMR Squad. However, in many cases, attackers did not actually have the ability to launch DDoS attacks if a victim chose to ignore the ransom request. However, the memcached-based DDoS extortions are unfortunately different.
Attackers have the capacity to truly take down companies because of the large number of unsecured memcached servers that can be used to launch the attacks. Victims are more likely to pay because of being under a heavy threat.
However, Daniel Smith, a Radware security researcher warned that paying the Monero ransom wouldn’t help as the same Monero address has been used for multiple targets against different targets. It appears to be a carpet-bombing technique, designed to scare targets in an effort at a quick cash grab. The fact that the same Monero address has been used repeatedly in its ransom notes means that attackers wouldn’t know which target paid the ransom.
Akamai also issued a report, echoing Smith’s advice not to pay the ransom.
“There is no sign to suggest that they are actively tracking the targets reaction to the attacks, no contact information, no detailed instructions on payment notification,” Akamai said. “If a victim were to deposit the requested amount into the wallet, we doubt the attackers would even know which victim the payment originated from, let alone stop their attacks as a result.”