Similar to ASERT, Wapack Labs has been tracking the current DD4BC extortion campaign since it started in Australia and New Zealand in early May. DD4BC stands for Denial of Service for BitCoin. The group threatens to block websites with high capacity Denial of Service attacks unless the organization pays a ransom in Bitcoin. There are indications that DD4BC is working at recruiting more botnets in order to increase their Distributed Denial of Service (DDoS) capability.
What you need to know: Analysis suggests that the group has earned enough funds that they are trying to purchase the tools necessary for them to move to bigger targets. The use of the TOR and HideMyAss proxy services suggest that DD4BC owns some of the botnets in use, and they don’t want those IPs black listed. The large amount of traffic coming from Australian ISPs, suggest they have been compromised and their residential connections are being used in some attacks.
- DD4BC attacks are continuing, demonstrating that they have earned enough funds that continued attacks are worth their time
- DDoS attack remain at the 30-40 Gigabytes per second level
- There are indications that DD4BC is acquiring enough assets to target larger organizations with higher capacity attacks
- Reports show that many organizations remain vulnerable to DD4BC attacks
DD4BC began its blackmail campaign in 2014. The group sent emails threatening to block websites with a DDoS attack unless a ransom was paid. This was followed by a ‘demonstration’ attack that typically lasted an hour. Initial targets included smaller bitcoin exchanges, entertainment websites, on-line casinos, and on-line betting organizations. DD4BC targeted organizations that would not be willing to work with police or other authorities. This was not always effective, as DD4BC initially demanded a 10 bitcoin ransom. One bitcoin exchange posted a 100 bitcoin bounty for information on DD4BC.
In April 2015, DD4BC began targeting businesses in Australia and New Zealand. They began targeting miming companies as well as some financial services firms. When companies were DDoSed, attack rates of 30-40 Gbps (Gigabits per second) were observed — much less than the 400-500 Gbps rates that were threatened. Early in May, the CERT teams in New Zealand, Switzerland and Canada posted warnings about DD4BC. Subsequently attacks shifted to the U.K. Germany and Central Europe. Iceland was targeted. Scandinavian companies appear to be the current targets.
A survey by Neustar in March 2015 reported that DDoS attacks could expose 40% of UK businesses to losses of $154,000 per hour in peak usage periods in a successful attack. A Priority Intelligence report by Wapack Labs reports that DD4BC is “renting multiple botnets” and “buying ‘shells’ from underground communities.” The group is also using TOR and HideMyAss VPN to hide their IP addresses.
As long as there’s a market, there will be more attacks. People pay, and when they don’t they get DDoSed. And while today’s attacks may not be that severe, the threat is enough to drive up the demanded price. Wapack Labs continues to monitor this activity.
About Wapack Labs
Wapack Labs, located in the technology mills of Manchester, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.
For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or firstname.lastname@example.org.