DDoS extortion is certainly not a new trick by the hacker community, but there have been several new developments to it. Notable among them is the use of Bitcoin as a method of payment. DD4BC (DDoS for Bitcoin) is a hacker (or hacker group) who has been found to extort victims with DdoS attacks, demanding payment via Bitcoin. DD4BC seems to focus on the gaming and payment processing industries that use Bitcoin.
In November 2014, reports emerged of the group having sent a note to the Bitalo Bitcoin exchange demanding 1 Bitcoin in return for helping the site enhance its protection against DDoS attacks. At the same time, DD4BC executed a small-scale attack to demonstrate the exchange vulnerability to this method of disruption. Bitalo ultimately refused to pay the ransom, however. Instead, the site publicly accused the group of blackmail and extortion as well as created a bounty of more than USD $25,000 for information regarding the identities of those behind DD4BC.
The plots have several common characteristics. During these extortion acts, the hacker:
Launches an initial DDoS attack (ranging from a few minutes to a few hours) to prove the hacker is able to compromise the website of the victim.
Demands payment via Bitcoin while suggesting they are actually helping the site by pointing out their vulnerability to DdoS
Threatens more virulent attacks in the future
Threatens a higher ransom as the attacks progress (pay up now or pay more later)
Unprotected sites can be taken down by these attacks. A recent study by Arbor Networks concluded that a vast majority of DD4BCs actual attacks have been UDP Amplification attacks, exploiting vulnerable UDP Protocols such as NTP and SSDP. In the spectrum of cyber-attacks, UDP flooding via botnet is a relatively simple, blunt attack that simply overwhelms a network with unwanted UDP traffic. These attacks are not technically complex and are made easier with rented botnets, booters, and scripts.
The typical pattern for the DD4BC gang is to launch DDoS attacks targeting layer 3 and 4, but if this does not have the desired effect, they will/can move it to layer 7, with various types of loopback attacks with post/get requests. The initial attack typically lies on a scale between 10-20GBps. This is rather massive, but often not even close to the real threat.
If a company fails to meet their requests, and if that company does not migrate this attack through various anti-DDoS services, the group will typically move on after 24 hours of a sustained attack. But you should not count on this pattern to manage your cyber security tactics.
