The story of a DDoS extortion attack – how one company decided to take a stand

German payment processor goes public on threats received last week

Last Friday, June 10, a member of the IT team at German payments processor Computop retrieved an email sent to one of the company's public addresses threatening to hit the firm's customer websites with a massive DDoS attack if a ransom of 15 Bitcoins (about £7,900) was not paid to the attackers by June 15.

The attackers had launched a smaller demo DDoS to prove their intent, the email said, something IT staff confirmed after checking monitoring systems. This was clearly a threat with the capability to do serious damage.

"If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there's no counter measure to this. You will only end up wasting more money trying to find a solution.," the email warned in broken English.

"We will completely destroy your reputation amongst Google and your customers and make sure your website will remain offline until you pay."

When Computop's CEO Ralf Gladis heard of the threat he was tempted to pay up. But after speaking to contacts in the industry over the weekend instead he resolved to do something rare and, frankly, quite extraordinary.

Instead of simply ordering his company to defend itself in conventional fashion he was going to write to all 5,000 of Computop's customers and partners telling them that on 15 June his firm's website was likely to be hit with a DDoS attack big enough to cause everyone serious problems.

Computop's engineers confirmed that an attack of 80-90Gbits/s would be more than enough to cause an outage to the platform and anyone in its vicinity in the datacentre.

"We don't want to hide behind a wall of silence and are determined to keep you in the loop with regard to what's been going on," wrote Gladis in a second follow-up email sent a matter of hours before the DDoS deadline was due to expire.

"DDoS attacks happen every day, and they can hit each and every one of us. Which is why we should take advantage of our community of business partners - stick together, learn from each other and ensure we are prepared for when the s**t hits the fan."

The story of a DDoS extortion attack - going public

Gladis probably didn't consider it at the time but he was making history. Companies hit by or threatened with DDoS attacks rarely talk about their experiences and absolutely never put such information into the public domain prior to an attack. It just isn't done. Business wisdom says that it's just too much of a reputational risk and might even seriously annoy the attackers. It's almost as if the industry sees the attack as being the victim's fault.

Fired by the liberation of disclosure, Gladis and Computop decided to go a stage further and publish a detailed account of their experience complete with lessons for other firms that might one day find themselves in the same predicament [Computerworld will link to this when it is posted online].

What seems to have crystallised the unusual decision to go public was a simple discovery.

"If you investigate you find out that they [DDoS attackers] target our industry," Gladis told Computerworld UK. DDoS extortion threats were routinely being sent to other firms in the German payments sector, he realised, but nobody seemed prepared to discuss this open secret.

Sensing an opportunity to break a taboo it struck Gladis that this kind of secrecy might be precisely what the attackers thrived on. Having decided to defend itself, the firm came up with a plan of action.

"My first reaction we need to talk to our data centre because they will get as overwhelmed as much we will," says Gladis.

"We have a trusted relationship with many important merchants all over the world. They trust us and to honour this and we have to let them know that there is a threat. Some of them might want to take precautions knowing that in two days there might be a problem with their payment processing.

"A lot of large retailers came back saying that they liked being given a heads up. Nobody complained."

Having enlisted the support of the firm's datacentre provider, that company in turn told its upstream providers. Then Computop hired an ethical hacking consultancy to advise it before taking the decision to use cloud DDoS sink-holing from Imperva's Incapsula division.

Did the plan work?

The date and time for the promised attack came and went and nothing happend. Gladis was told by the company's pen-testers that the attackers would have been able to detect that the vulnerable servers were now within a mitigation cloud and probably simply backed off.

"We don't want to look like heroes who have beaten the enemy. We were just well prepared."

The attackers went elsewhere, most likely to less well defended targets.

The story of a DDoS extortion attack - firewall cluster

A fascinating side detail is that at the time period of the threatened attack the company was still struggling with a new firewall cluster it had recently installed. This sort of infrastructure would normally help with e-commerce and website availability but the trouble was it wasn't working as a single logical entity. In the nick of time, the firm's IT team resolved the issue with a software update.

Did Gladis have any worries about being so open?

"We knew we were taking a slight risk but it's worth it. It is about fighting criminals and complying and hiding is not going to help."

Computop involved cyber police in the German state of Bavaria who were able to trace some of the IPs used in the demonstration attack launched by the extortion gang. According to Gladis, police used police forces across Germany to visit the offices of the innocent companies in which rogue servers were operating, asking for them to be taken down.

Not only was Computop fighting back against DDoS extortionists it was also party to a botnet take-down.

Computop's story stands as a remarkable refutation to the idea that security is best served by secrecy. In fact, as Gladis, suggests, secrecy is what makes these crimes more potent than they would otherwise be. When there is no learning, criminals are able to target companies one at a time, picking them off at will.

"There is nothing to hide. This can happen to all of us. Better to talk about it and let people know," he says. "Our customers will be better prepared than we were."

Computop's DDoS defence 101

The company has now published a more detailed set of recommendations for anyone who faces the same type of attack. Below we extract the main lessons but the published document offers more depth:

- Inform your datacentre. This might seem obvious but it is critical that they know as soon as possible of the threat. When choosing a datacentre makes sure it is one that is open to helping in these situations.

- Don't pay the ransom and don't communicate with the extortionists. "They might just attack anyway and ask for more money. They might come back under a new name. They might tell their friends that we are willing to pay."

- Reach out to your partners for advice. Many of them will have had similar experiences.

- Don't underestimate the usefulness of firewalls, including your datacentre's upstream infrastructure. That filtering can lighten the load.

- Consider using DDoS mitigation and expert consultants. It costs but the price is small compared to the protection it offers. Techies or pen-testers with experience in DDoS can also offer the sort of advice that saves valuable time, including how the attackers operate.

- Phone the police. The Bavarian state police reacted extremely quickly to help defuse part of the extortionist's botnet (see above).

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleImperva

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts