Dealing with the risk of DDoS ransom attacks

Published: Tuesday, 19 April 2016 07:18

Jake Madders highlights the increasing trend for distributed denial of service attacks to come with a ransom demand and explains what organizations can do to handle such a situation.

We are all familiar with the disruptive consequences of a distributed denial of service (DDoS) attack when a website is forced offline because it has been swamped with massive levels of traffic from multiple sources. The cost in terms of lost business to companies while their website is offline can be significant.

Cyber criminals are now taking the process a step further by tying ransom demands to their DDoS attacks, threatening to keep company websites permanently offline until they pay up. In effect, DDoS attacks are coming with an invoice attached. 

What are DDoS ransom attacks?

Given the stakes, it makes sense for organizations to try and learn as much as they can about DDoS ransom demands: what do they look like, how can businesses work out if their site is at genuine risk and how can they protect their online presence?

Potential DDoS attacks, usually by criminal groups, start with a test attack on a website or service. The preferred method is to send increasing levels of traffic to the site to ascertain whether it could be vulnerable to an attack. Sometimes, the site can be knocked out with a small attack (from 1-2Gb of bandwidth) or it may require a much larger scale onslaught (from 10-100Gb), depending on the robustness of the security technology the service provider hosting the site has in place.

If they think it is worth the effort, criminals will keep trying to bring the site down until they succeed. Once they have taken the site down, they will make their ransom demand, usually via email, with a deadline for payment or another attack will ensue. Companies are forced to choose between paying the ransom to 'keep the site live' or losing business while the site is offline for a pre-determined time period. If a company opts not to pay the ransom in time, the attacks usually resume with increased severity and for a longer duration. The ransom amount also increases.

How to stop DDoS ransom attacks

There are a number of measures businesses can take to protect their websites and online services:

Check your service provider

The best way to deal with DDoS ransom demands is to prevent them happening in the first place. Prevention is always better than the cure. It’s the responsibility of the service provider hosting the website to have measures in place to defend customers against DDoS attacks, so it makes sense to find a service provider that has the experience and capabilities to identify and mitigate DDoS ransom attacks.

To do this, businesses need to have a clear idea of how prepared their service providers are to stave off DDoS attacks so they can assess their levels of risk. It also helps to have an understanding of what levels of security and service are guaranteed in their customer agreements.

Don’t ignore ransom demands

It is important that businesses don’t bury their heads in the sand and ignore any ransom emails they might receive. On that subject, they should be aware it can be easy to ignore or overlook these types of emails because they usually look like spam and are shoddily written. If they receive a ransom email, companies should make their service provider aware of it right away so it can be on the look-out for any increase in traffic to the site and be prepared to mitigate serious attacks.

Don’t pay ransom demands

The temptation for some companies when they receive a ransom email is to pay up. Faced with the prospect of having their website and online services crippled or disabled, especially if they are critical to their day-to-day business, they feel forced to pay up to try and make the problem go away. The difficulty is that paying up is no guarantee the threat will be eliminated. Just because you’ve paid off one group, doesn’t mean they will definitely stop attacking or even that another criminal gang might not be tempted to launch a similar attack. In other words, there’s no guarantee that paying a ransom demand will ensure there won’t be other demands for ransom payments in the future.


However remote and unlikely the risk may appear of a DDoS ransom attack, it needs to be set against the damage such an attack can cause to the business. The best way to counter ransom demands is to stop the DDoS attacks in their tracks. The first line of defence against any attack on a website or online service is the service provider hosting it. Businesses should expect service providers to have the required technical skills and specialist hardware to fend off or mitigate DDoS attacks to keep them online. If they don’t have the skills and can’t prevent DDoS attacks, customers have a right to know. Businesses shouldn't be held to ransom because their website provider isn’t up to the job of protecting them.

The author

Jake Madders is director of cloud hosting provider Hyve Managed Hosting.