Attackers include ransom note in amplified DDoS attacks that use memcached servers

Cybereason's security team on Thursday discovered that the memcached servers used in the largest DDoS attack to date are including a ransom note in the payload. If DDoS amplification attacks weren't enough of a threat, attackers have made this technique even more potent by adding an extortion component.

The attackers wanted to get their message across: they dedicated a gigabyte of data to the ransom note, which instructs victims to pay 50 XMR (XMR is the ticker symbol for the Monero cryptocurrency), is included in a line of Python code and repeats many times. As of this writing, 50 XMR equals approximately $15,000. Like all currencies, the Monero exchange rate fluctuates so the amount of money victims have to pay can change.

If any organizations have paid the ransom is unknown. Unlike bitcoin transactions, Monero transactions aren't displayed publicly so there's no way to see if funds have been transferred to the attacker’s Monero address.

This video shows how Cybereason’s security team discovered the ransom note, which is highlighted:

how amplified DDOS attacks could lead to companies paying ransoms

Not to spread FUD, but the potential impact of DDoS amplification attacks is huge. Researchers have found that this technique can increase bandwidth amplification by a factor of at least 50,000 and estimate that as of November 2017 there are at least 60,000 memcached servers that can be used.

Here’s another example to show the magnitude of this attack. According to engineers at GitHub, which was knocked offline by the attack, the initial wave of the attack peaked at 1.35Tbps. Previously, the largest DDoS attack registered 1.1Tbps.

While GitHub’s site issues lasted for around nine minutes, using a short attack to quickly knock companies offline can greatly benefit attackers. If sites can be taken down in such a brief amount of time, companies could be more inclined to pay the ransom (assuming it remains reasonable) instead of dealing with the more substantial fallout from a longer amplification DDoS attack.

The attackers and defenders are likely to engage in an arms race in the coming weeks with the bad guys looking to use this technique against companies while the good guys figure out how to mitigate this threat.  Organizations using memcached servers should disable their UDP port and place these servers on private networks behind firewalls.

Cybereason Team
About the Author

Cybereason Team

Cybereason is dedicated to partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides predictive prevention, detection and response that is undefeated against modern ransomware and advanced attack techniques. The Cybereason MalOp™ instantly delivers context-rich attack intelligence across every affected device, user and system with unparalleled speed and accuracy. Cybereason turns threat data into actionable decisions at the speed of business.

All Posts by Cybereason Team