Recent Memcached DDoS attacks drive RDoS extortion practice

Crooks already started to blackmail companies asking for a ransom demand in Monero cryptocurrency to avoid being attacked via Memcached servers.

Last week, the Github service was hit by the biggest-ever DDoS attack that peaked 1.35 Tbs by abusing the memcached protocol to power so-called memcached DDoS attacks.

Researchers believe that threat actors in the wild will abuse misconfigured Memcached servers in future attacks, unfortunately, many of them are still exposed on the Internet.

Crooks already started to blackmail companies asking for a ransom demand in Monero cryptocurrency to avoid being attacked.

The news was first reported by Akamai that detected DDoS attacks executed via Memcached servers that instead of flooding targets with UDP packets are leaving short messages inside these packets.

“Memcached has become the new kid on the block in the DDoS world, with widespread and rapid adoption by attackers pushing attacks of all sizes across organizations and industries.  As with most powerful attacks, it didn’t take long for attackers to come up with ways to turn the threat into a business opportunity.” reads the analysis published by Akamai.

“If you look closely, you can see that buried in that attack traffic appears to be an extortion attempt. The attackers insist that the victim pay 50 ($16,000+) Monero (XMR) to the wallet address they’ve so graciously included. This appears to be in line with similar tactics used with extortion emails.  Multiple targets are sent the same message in hopes that any of them will pay the ransom.”

One of the extortion attempts monitored by Akamai was conducted by a gang that is asking victims to pay 50 Monero (roughly $17,200).

The attackers drop payloads onto the memcached server they intend to target.  

“While  most attackers are filling these records with junk, it appears these attackers have decided to load up their payloads with payment amount and wallet address information in the hopes of duping desperate victims into forking over their cold hard crypto-cash.” continues the post.

This kind of extortion practice dubbed ransom DDoS (RDoS) is not new, researchers first observed it in 2015 with the criminal gang called DD4BC  The group was sending send emails to many companies, threatening to launch DDoS attacks unless they paid a ransom fee.

The DD4BC gang has carried out at least 114 DDoS attacks with an average peak bandwidth of around 13.34 Gbps on its customers since April 2015.

The crew  attempted to extort money from financial companies and other business by threatening to hit them with DDoS attacks that could interfere with their operations.

In one case, the DDoS attack flooded the target with over 56.2 Gbps of traffic, in June 2015 they powered at least 8 DDoS attacks that had peak bandwidths of more than 23 Gbps.

The DD4BC group targeted Financial services in 58 percent of the DDoS attacks, banks and credit unions in 35 percent of the attacks, currency exchanges in 13 percent while the rest were payment processing firms.

The group was dismantled by authorities, some members were arrested, but other members continued the offensives under different names such as Armada Collective and XMR Squad.

Experts believe the threat is concrete, the availability of unsecured Memcached servers could be exploited attacker to launch powerful attacks.

Researchers at Akamai suggest not pay the ransom, they noticed that attackers have used the same Monero address for multiple DDoS attacks against different targets. This means that attackers have no way to associate a specific payment to a victim.

“If a victim were to deposit the requested amount into the wallet, we doubt the attackers would even know which victim the payment originated from, let alone stop their attacks as a result.  Even if they could identify who’d sent the payment, we doubt they’d cease attacking their victim as it was never really about the money anyways.” concluded Akamai.