In November of 2015, First National Bank of South Africa received a ransom email from the Armada Collective, which was quickly followed by a teaser flood attack that the bank proactively mitigated. Sort of a shot across the bow to make sure the bank knew the criminals were serious.
Bank officials didn’t flinch. According to a verbatim in Radware’s recently released Global Application & Security survey, the bank detected and mitigated the teaser flood attack before officials discovered the email, which had been sent to an unattended mailbox while the company was closed. With a hybrid DDoS mitigation solution in place, the flood attack had no impact and was immediately diverted to a scrubbing center for cleanup.
The report revealed that ransom attacks are by far the most prevalent threat—growing from 25% of attacks in 2015 to 41% in 2016. What’s driving the increase? Cyber ransom can be a highly lucrative “business.” It is faster, easier and cheaper than ever to execute this form of extortion, which gives its victims a very short window to respond before suffering what could be a devastating disruption to systems and day-to-day operations.
Keep in mind these ransom email attacks are different from the common ransomware that today can hold companies' data hostage until money is paid.
A senior network architect explained in the report because the bank is located in South Africa, the organisation is geographically separated from the rest of the world. This has implications on both the organisation’s ability to protect itself (for instance, in terms of latency in times of diversion) and also limits the ability of hackers to use volumetric attacks; hackers can’t get even half a terabyte of traffic in South Africa.
“For us, a teaser attack may bring 300 megabytes of traffic. As a safety precaution, when we receive a flood attack and ransom note, we divert network traffic to the scrubbing center of our DDoS mitigation vendor, Radware, before the ransom payment deadline. We believe that hackers executing the ransom attack will observe the traffic being diverted and will realise the futility of launching a teaser attack,” the network architect said.
The bank also believes that it sends a signal to Armada Collective and other ransom groups. “By taking powerful and decisive action, we send the message that we won’t be victimised.”
In April of 2016, the bank received another ransom email purporting to be from Lizard Squad. The bank learned through a local banking risk management association that the emails were from a copycat. Since it was identified as a hoax, the bank decided not to divert traffic. However, they did receive a small teaser attack and relied on Radware’s Emergency Response Team for support.
Sign up for CIO Asia eNewsletters.