Do not pay ransom

The Reporting and Analysis Center for Information Assurance (MELANI) has already reported several times this year on such attacks and associated extortion by the groups Armada Collective and DD4BC, which have caused a media stir in Switzerland. MELANI strongly advises against accepting the demands of the extortion gangs.

DDoS attacks are a phenomenon that has been known for a long time. Until now, the motives were mostly political activism or harming a competitor. This year, however, there was an increase in attacks that were purely financially motivated. The perpetrators primarily chose companies whose business model places particular importance on the availability of their website and which therefore have a corresponding potential for extortion. Under the pressure of a threatening inaccessibility of their own website and the hope of a "quick" solution, some companies also consider making a payment. A payment not only gives the perpetrators an extortion success, but also gives them financial means to strengthen their attack infrastructure and intensify the attacks. Attackers often use so-called booter or stresser services. These are tools that trigger DDoS attacks in exchange for payment (effectively a "DDoS as a service"). The more money an attacker has at his disposal, the more attack volume (in terms of both intensity and length) he can obtain from such a service provider. On the other hand, if no ransoms are paid, the criminals' business model falls flat. MELANI advises against paying ransoms for the following reasons:

1. There is no guarantee that paying the ransom will stop the attack.
2. There is no guarantee that the attack will not be repeated under a different pretext and under the label of a different group.
3. Payment of ransom reveals own weaknesses and tempts attackers to try even more attack vectors on the same victim.
4. Cybercriminals are well organized. Word gets around quickly when a victim is willing to pay, and the probability of being attacked by other groups increases accordingly.
5. The payment finances and strengthens the attack infrastructure of the criminals. With the money earned, they can afford a better attack infrastructure. Thus, the next attack will be even stronger. This also increases the cost of successfully defending against such an attack.
6. A payment reinforces the attackers in their approach. The motivation to continue increases.
7. The amount used for the ransom is missing to finance the appropriate protection measures.

Paying ransom is thus at best a short-term symptom control and without guarantee, and does not contribute to the long-term resilience of one's own infrastructure and the security of the Internet against DDoS attacks - on the contrary, the financial strengthening of the attackers gives them more opportunities for longer and stronger attacks, and their own resilience and that of all other participants becomes weaker and weaker in relation to the attackers, as MELANI points out.

In an extortion case, MELANI recommends filing a report with the local police station or at least reporting the incident to the Cybercrime Coordination Unit (KOBIK) to the attention of the police. The more clues are gathered about an extortion gang, the greater the chance of successfully identifying the perpetrators.

Preventive measures to protect against DDoS attacks are here viewable.