Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

South African bank tells its tale of battling ransom attacks

Ryan Francis | Jan. 12, 2017
Since November 2015, the First National Bank of South Africa has fought off groups looking for money.

Since the beginning of 2016, the diversity of attack vectors has increased and the bank has experienced a fourfold increase in burst attacks. At the same time, attacks lasting more than an hour are decreasing. The trend seems to be shifting toward very short, “hit and run” assaults.

radware DDoS
Radware

Yet not all attacks are burst attacks. In September 2016, the bank received an attack that was relatively small (only 2G-3Gbps) but lasted over four hours and gradually evolved in several stages. First, bank officials noticed that some of the attacks were ping-back attacks. They experienced attacks of 16,000 SYN connections—big for South Africa—which were mitigated via our on-premises DDoS protection appliance.

After the Half-SYN attack, there was an HTTP flood with about 2,000 sources in the attack, which was also successfully mitigated. However, the bank had difficulty mitigating the full HTTPS flood attack.

“It was the first time we experienced an encrypted attack, highlighting the need for dedicated protection against encrypted attacks that leverage SSL standards to evade security controls. Normally the bank faces UDP fragmented attacks followed by a DNS reflective attack. In this case, we were hit with a typical SSL attack that we were not prepared to mitigate,” according to the Radware report.

Typically attacks only last three to four minutes and immediately follow each other, but this SSL attack lasted an hour and a half, putting the bank's defenses under tremendous stress because of the computing resources the attack consumed. The bank generated so much response load that it pushed its outbound connection to its limit; it tripled our usual throughput.

Lessons learned

The year 2016 saw an explosive rise in extortion threats, which eclipsed most other types of cyber-attacks. Radware found in its survey that 56 percent of organisations reported being the victim of a cyber-ransom attack and 41 percent of organisations mark ransom as the greatest cyber threat facing their organisation (versus 25 percent in 2015). Here are some lessons the bank learned:

1. The benefits of behavioral analysis over rate-limiting analysis.
In the past, the bank tested a DDoS mitigation solution that leveraged rate-limiting technology and discovered that using behavioral analysis provided a significant advantage. Since it doesn’t block legitimate traffic, it enables the bank to maintain its service levels.

2. The importance of time to mitigation.
By having the ability to develop attack signatures in real time, the bank has been able to mitigate attacks in as little as 20 seconds.

Primary actors
Radware has identified some of the primary groups that carry out ransom DoS attacks:

Armada Collective: Armada Collective is arguably the best known—and most imitated— gang of cyber criminals. With a typical ransom demand of 10 to 200 Bitcoin (about $3,600 to $70,000), this gang often accompanies its ransom notes with a short “demo” or “teaser” attack. When time for payment expires, Armada Collective takes down the victims’ data centers with traffic volumes typically exceeding 100Gbps.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.