WP Cheap and nasty: How for $100 low-skilled ransom DDoS extortionists can cripple your business | Imperva

Cheap and nasty: How for $100 low-skilled ransom DDoS extortionists can cripple your business

Cheap and nasty: How for $100 low-skilled ransom DDoS extortionists can cripple your business

Distributed Denial of Service (DDoS) attacks capable of crippling network resources and websites can be rented online for as little as $5 an hour. With an average financial impact of $100k for just one hour of downtime, that’s a serious return on cybercriminal investment. And that’s just for the ‘bargain basement’ attacks. Further up the food chain, more sophisticated DDoS as a Service attacks come with enterprise-grade support and the capacity to wreak havoc.

‘DDoS for Hire’ services have eliminated two key barriers to entry for would-be cybercriminals: technical ability and cost. Recent years have seen the arrival of an added twist: extortion. Why go to the trouble of sustaining a large DDoS attack when the mere threat can be enough to persuade an organization to pay up?

How much ‘investment’ would it take for an unskilled cybercriminal to really damage an e-commerce website owner – without necessarily launching a DDoS attack? Let’s take a look at a hypothetical scenario before moving into the real world…

Small outlay, big impact

Ransom Value for Attacker:

$9,300 profit1

$700 weekly botnet rental2
48 hour attack
2 attacks per week
Average ransom = $5,000

Profit =$9,300

Ransom Value for Website Owner:

20,000 daily visitors (4% conversion rate)3
800 purchases ( $131 average online sale)4
$104,800 daily revenue

$209,600 in lost sales

Not playing games: the high cost of a network DDoS attack

Now, let’s take a look at a real-world example, involving a global online gaming company in 2020. They received a ransom note threatening a DDoS attack and decided to ignore it. Soon afterwards, they began noticing proxy errors from their website and couldn’t reach their origin servers. Further investigation revealed that they weren’t receiving any packets at all from their servers. When they contacted their ISP, it emerged that they had been cut off as ‘noisy neighbours’ – i.e. the attack on their site was impacting resources for other customers, so the ISP ‘blackholed’ them to protect others. The cost?

Twelve hours of downtime

39 engineers working round the clock to mitigate the damage
30-minute status updates, impacting resources across the business
$42k = the cost of website downtime
$44k x 12 = contact center chaos, loss of productivity for 39 agents for 12 hours

Total = $616k+

When you consider that down time can cost as much as $300k an hour5, this could have been a lot worse. A quarter of DDoS targets are hit ten times or more6.

DDoS and the bottom line

Even a few minutes of downtime could have far-reaching effects on a business. It can take days, or even weeks, to recover from a DDoS attack. Ninety-one percent of organizations have experienced downtime from DDoS. And because payment to stop a ransom DDoS attack is usually demanded in cryptocurrency, there’s no traditional ‘follow the money’ route to tracking the criminals behind the attacks.

Getting by on the belief that your infrastructure partners can protect you, or that your business is too niche to be of interest is risky: many businesses experience a DDoS attack at least once a year. A quarter of DDoS targets are hit ten times or more; once an attacker decides to go after a target, they’re incredibly persistent.

In a world where cybercriminals routinely automate short, sharp DDoS attacks, automated, always-on mitigation is your best defense in a game of cat and mouse where attackers create maximum disruption before hybrid cloud and on-premise solutions can kick in. When your mitigation solution takes longer to react than the attack itself lasts, criminals not only cause denial of service, but prevent mitigation appliances from activating the cloud scrubbing platform.

Ransom DDoS attacks are back, and strike without warning. To learn more about how Imperva’s proactive DDoS prevention solutions ensure business continuity with guaranteed uptime and no performance impact, visit the DDoS section on our website.

———

1Based on 1BTC = $39k
2Based on an average $100-a-day charge for a ‘quality’ DDoS-as-a-Service attack
3https://www.invespcro.com/blog/the-average-website-conversion-rate-by-industry/
4Statista, U.S. Average online shopping order value 2020, by device.
5https://blogs.gartner.com/andrew-lerner/2014/07/16/the-cost-of-downtime/
62021 DDoS Threat Landscape Report