Increasingly ransomware attacks are targeting businesses to disrupt or extort funds. Global businesses, government, educational establishments and hospitals are being targeted whether large or small across many countries. The ransomware attacks are becoming very sophisticated in how they infiltrate a business network and how they spread throughout a network. Sometimes the ransomware lies dormant for months waiting to strike at the perfect time to cause as much disruption to a business or organisation. When these attacks do strike they are designed to block access to a computer system and encrypt the data and storage until a ransom is paid.

The recent attack in the US targeted a Florida based IT company called Kaseya and they provide management software to MSPs and have over 10,000 customers in a number of global countries. A specific version of their software was targeted, and it has affected over 1,500 businesses. The ransomware attackers demanded a ransom of $70m in Bitcoin be paid before they release the encryption keys.

The fact is, if a large business is the victim of a ransomware attack and cannot retrieve it's files, the likelihood is that the business will go bust within 90 days.

How does a DDoS attack work?

Distributed Network Attacks are often referred to as Distributed Denial of Service (DDoS) attacks.

They primarily attack a business website by flooding the site with continuous webpage requests, this then exceeds the website's capacity, therefore preventing the site from functioning correctly.

The cybercriminals' aim is the total prevention of the website’s functionality thereby achieving a total denial of service.

It has been known, that to maximize a large number of requests to the required source, the attacker will often establish a zombie network (botnet), that infects multiple machines with malware.  The attacker will then have total control over the entire functionality of each infected computer within the zombie network (botnet) thereby overwhelming the victim’s entire business web resources.  The attacker can direct an attack by sending remote instructions to each bot.

When a victim’s server or network is targeted by the botnet, each bot then sends requests to the victim’s IP address with the aim of causing the server or indeed entire traffic to become overwhelmed and unable to function, causing a denial of service to normal traffic.

How to identify a DDoS Attack

Traffic analytic tools can help you spot suspicious amounts of traffic originating from a single IP address or IP range. There may be a surge in requests to a single page or endpoint.  There also may be odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural e.g., a spike every 15 minutes.  However, these cybercriminals (cyber armies) can be dormant until given orders to proceed, e.g., on New Year’s Eve. A command-and-control server (C2) will be used by the cybercriminals to issue instructions to compromised devices.  The devices will use a portion of their processing power to send fake traffic to a targeted server or website – the DDoS attack is launched!

DDoS Mitigation

DDoS mitigation refers to the process of successfully protecting a targeted server or network from a DDoS attack.  Implementing a specially designed piece of networking equipment or cloud-based protection service allows a business to mitigate against the incoming threat but might not completely stop it.

• Detection – It is imperative to distinguish an attack from a high volume of normal traffic.
• Response – A network can mitigate the attempt at disruption and drop malicious traffic at the network edge.
• Routing – Intelligently route traffic into manageable chunks preventing denial of service.
• Adaptation – A robust network analyses traffic for patterns such as repeating offending IP blocks, also there may be attacks incoming from certain countries, or protocols being used improperly.  By adapting to attack patterns, a protection service can harden itself against future attacks.

Best Practices for Prevention of DDoS Attacks

DDoS attacks show no signs of slowing – in fact, research shows they keep growing in volume and frequency and the most common attacks today are commonly involving a blended or hybrid approach. 

Each business needs an integrated security strategy to protect all infrastructure levels and to develop a DDoS prevention plan based on a thorough security assessment. 

You need to consider your Backup/Restore and Data Archiving strategy – How robust is your business against a DDoS attack?  What would be the consequence to your business if it received a DDoS attack? Serious consideration should be given to immutable storage and then storing the Backup and Archive files in two separate locations or clouds.