June 15, 2017 by

Lisa Bock on A New Twist on Ransomware – Internal DDoS

Lisa Bock is an associate professor of information technology at Pennsylvania College of Technology (www.pct.edu) in Williamsport, Pennsylvania. She has taught a variety of courses that include networking, security, biometrics, protocol vulnerabilities, CCNA Security, and requirements analysis and is an author for Lynda.com. Lisa provides an overview of a new form of Ransomware – Internal DDoS attack using Simple Service Discovery Protocol (SSDP) in an amplification attack.

LIFARS: Could you briefly explain how Ransomware evolved?

Lisa: Malware is malicious software, and is often one of the first ways hackers will target a system or network. Ransomware is a form of malware. Over the years, different types of Ransomware have evolved. However, all of them have the same outcome. They hold your computer hostage until you offer some type of payment or ransom. Ransomware spreads like many other types of malware, via phishing and spear phishing attacks, or other methods to get the victim to click on a link that might be on a webpage or social media that takes you to the attacker’s website to download a file.

Early Ransomware initially targeted home users, but now it has become more popular because it’s so profitable, and is infiltrating into corporations, holding data hostage until a hefty ransom is paid. If the ransom is not paid, the consequences could be grave, as the attacker may unleash malware that can destroy all the files on the system. Ransomware can block you from accessing your system, encrypt files so you can’t use them, and stop applications, such as your browser, from running.

LIFARS: You indicated we might see new variants of Ransomware, can you explain?

Lisa: Recent Ransomware attacks have focused on using encryption to lock the files and then demand a ransom for the key.  However, Ransomware variants are complicating matters even more.  For example, a business may have gone through an extensive exercise to secure their system from encryption Ransomware, only to face another threat.

Cyber criminals are using methods that are more refined to get you to click on a link, or go to a website.  They have done their research, and identified their targets from a company directory to ensure a more successful exploit.  For example, let’s saya hacker has registered the legitimate looking domain name USPSgetmypackage for $11.99 and sent the email to a business using a spear phishing attack.

Many offices send and receive multiple packages every week.  Imagine a busy administrative assistant going about the day when, an email comes in as follows:


Subject: NOTIFICATION – Important delivery confirmation

Message Body:

Dear Sally Parker,
Your package has been delivered to the local USPS office.

Number of Packages:  1

Service:              GROUND

Weight:             5.3 LBS

Tracking Number:        1Z7X7F64432398571293

Reference Number 1:  213223213434

*** This is an automatically generated email, please do not reply ***

Click USPSgetmypackage.com to track if we have received your shipment.

© USPS 1995-2017


The email looks official.  Once the victim clicks on the link, a notification appears.

Now the problem. The security analyst is sure encrypting Ransomware won’t affect their network, as they have taken all necessary precautions.  However, no one has prepared for an internal DoS attack!

LIFARS: Could you briefly explain on how DDoS attack using SSDP works?

Lisa: Today hackers are using the lesser known protocols in DDoS attacks as they’re more successful in bypassing firewalls and other defense methods which generally monitor for the common protocols such as TCP, IP and ICMP. One such protocol is Simple Service Discovery Protocol. SSDP is used to advertise and discover plug and play devices. It’s an HTTP-like protocol that uses M-SEARCH and NOTIFY methods.

Researchers have identified a rise in amplification attacks using universal plug and play devices. Hackers develop scripts that scan for the Universal Plug and Play enabled devices and gather a list of vulnerable devices that reply to that initial discovery packet request. The devices then become reflectors for the DDoS attacks. M-SEARCH request packets generate many replies, and the Amplification depends on the contents of the device description file.

In a packet analysis tool such as Wireshark, you can see the signature of the amplification effect as the length in each response amplifies or increases.

No.

Time

Source

Destination

Protocol

Length

Info

133

0.000000

10.50.17.234

239.255.255.250

SSDP

469

Notify

134

0.000231

10.50.17.234

239.255.255.250

SSDP

478

Notify

135

0.000001

10.50.17.234

239.255.255.250

SSDP

515

Notify

136

0.001085

10.50.17.234

239.255.255.250

SSDP

519

Notify

139

0.101941

10.50.17.234

239.255.255.250

SSDP

469

Notify

140

0.000233

10.50.17.234

239.255.255.250

SSDP

478

Notify

141

0.000002

10.50.17.234

239.255.255.250

SSDP

515

Notify

142

0.000980

10.50.17.234

239.255.255.250

SSDP

519

Notify

As you can see the length is of the first packet is 469. The second response is 478. The next 515, the next 519. Each time they get a little larger. Then it does it again. 469, 478, 515, and 519.

Infected SSDP traffic will consumes your bandwidth and slowly choke your network.

LIFARS: What can small and medium-sized companies do to prepare for a cyber-attack?

Lisa: Ransomware is a serious problem. Everyone is at risk for becoming a victim of Ransomware, but there are ways to avoid becoming a victim. Protect against Ransomware and other cyberattacks. Think before you click a link. Use strong spam filters. Use anti-malware protection. Don’t “friend” strangers. Backup and store sensitive files in a remote storage facility. Patch and Update. Don’t open suspicious emails. Use a browser-based firewall. Use caution when downloading software from a website. It is a good time to ask if your business has taken the necessary steps to become aware of today’s current cyber threats. Get up to date information on best practices to take to keep you and your organization safe from threats that exist in today’s complex environment.  

 

Read more about ransomware and recent variants at USCERT https://www.us-cert.gov/ncas/alerts/TA16-091A

To learn the basic concepts of IT security, visit here or discover many other courses on Lynda.com.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

DDoS Attack Takes Down UK National Lottery Website

The UK National Lottery’s website and its associated mobile applications were knocked offline by...

Read more arrow_forward

DDoS Attacks Double with Corporate Data Under Threat

DDoS attacks are on the rise in 2017 with a third of all organizations facing at least one DDoS...

Read more arrow_forward

Qatar-based Al Jazeera Undergoing ‘Continual’ DDoS Attacks

Doha-based media giant Al Jazeera has revealed it is the victim of “systematic and continual”...

Read more arrow_forward