DDoS extortion is certainly not a new trick from the hacker community, but there have been several new developments. Among them, the use of Bitcoin as a payment method stands out. DD4BC (DDoS for Bitcoin) is a hacker (or group of hackers) who has been found to extort money from victims with DdoS attacks, demanding payment through Bitcoin. DD4BC seems to focus on the payment processing and gaming industries that use Bitcoin.
In November 2014, reports emerged that the group had sent a note to the Bitalo Bitcoin exchange demanding 1 Bitcoin in exchange for helping the site improve its protection against DDoS attacks. At the same time, DD4BC ran a small-scale attack to demonstrate the exchange’s vulnerability to this disruption method. However, Bitalo ultimately refused to pay the ransom. Instead, the site publicly accused the group of blackmail and extortion and created a reward of more than $ 25,000 for information on the identities of those responsible for DD4BC.
The plots have several common characteristics. During these acts of extortion, the hacker:
Launches an initial DDoS attack (ranging from a few minutes to a few hours) to prove that the hacker can compromise the victim’s website.
Demand payment via Bitcoin while suggesting that they are actually helping the site by pointing out its vulnerability to DdoS
Threatens more virulent attacks in the future
Threat with a higher ransom as the attacks progress (pay now or pay more later)
These attacks can remove unprotected sites. A recent study by Arbor Networks concluded that a vast majority of actual DD4BC attacks have been UDP amplification attacks, exploiting vulnerable UDP protocols such as NTP and SSDP. On the spectrum of cyberattacks, UDP flooding through a botnet is a forceful and relatively simple attack that simply overwhelms a network with unwanted UDP traffic. These attacks are not technically complex and are facilitated with rented botnets, booters, and scripts.
The typical pattern for the DD4BC gang is to launch DDoS attacks targeting Layers 3 and 4, but if this doesn’t have the desired effect, they can move you to Layer 7, with various types of loopback attacks with publish / get requests. The initial attack is generally on a scale of between 10 and 20 GBps. This is pretty massive, but often it doesn’t even come close to the real threat.
If a company does not comply with its requests, and if that company does not migrate this attack through various anti-DDoS services, the group will normally continue after 24 hours of a sustained attack. But you shouldn’t count on this pattern to manage your cybersecurity tactics.