Lisa Bock on A New Twist on Ransomware – Internal DDoS

Lisa Bock on A New Twist on Ransomware – Internal DDoS

Lisa Bock is an associate professor of information technology at Pennsylvania College of Technology (www.pct.edu) in Williamsport, Pennsylvania. She has taught a variety of courses that include networking, security, biometrics, protocol vulnerabilities, CCNA Security, and requirements analysis and is an author for Lynda.com. Lisa provides an overview of a new form of Ransomware – Internal DDoS attack using Simple Service Discovery Protocol (SSDP) in an amplification attack.

LIFARS: Could you briefly explain how Ransomware evolved?

Lisa: Malware is malicious software, and is often one of the first ways hackers will target a system or network. Ransomware is a form of malware. Over the years, different types of Ransomware have evolved. However, all of them have the same outcome. They hold your computer hostage until you offer some type of payment or ransom. Ransomware spreads like many other types of malware, via phishing and spear phishing attacks, or other methods to get the victim to click on a link that might be on a webpage or social media that takes you to the attacker’s website to download a file.

Early Ransomware initially targeted home users, but now it has become more popular because it’s so profitable, and is infiltrating into corporations, holding data hostage until a hefty ransom is paid. If the ransom is not paid, the consequences could be grave, as the attacker may unleash malware that can destroy all the files on the system. Ransomware can block you from accessing your system, encrypt files so you can’t use them, and stop applications, such as your browser, from running.

LIFARS: You indicated we might see new variants of Ransomware, can you explain?

Lisa: Recent Ransomware attacks have focused on using encryption to lock the files and then demand a ransom for the key.  However, Ransomware variants are complicating matters even more.  For example, a business may have gone through an extensive exercise to secure their system from encryption Ransomware, only to face another threat.

Cyber criminals are using methods that are more refined to get you to click on a link, or go to a website.  They have done their research, and identified their targets from a company directory to ensure a more successful exploit.  For example, let’s saya hacker has registered the legitimate looking domain name USPSgetmypackage for $11.99 and sent the email to a business using a spear phishing attack.

Many offices send and receive multiple packages every week.  Imagine a busy administrative assistant going about the day when, an email comes in as follows:


Subject: NOTIFICATION – Important delivery confirmation

Message Body:

Dear Sally Parker,
Your package has been delivered to the local USPS office.
Number of Packages:  1

Service:              GROUND

Weight:             5.3 LBS

Tracking Number:        1Z7X7F64432398571293

Reference Number 1:  213223213434

*** This is an automatically generated email, please do not reply ***

Click USPSgetmypackage.com to track if we have received your shipment.

© USPS 1995-2017


The email looks official.  Once the victim clicks on the link, a notification appears.

encrypting Ransomware

Now the problem. The security analyst is sure encrypting Ransomware won’t affect their network, as they have taken all necessary precautions.  However, no one has prepared for an internal DoS attack!

LIFARS: Could you briefly explain on how DDoS attack using SSDP works?

Lisa: Today hackers are using the lesser known protocols in DDoS attacks as they’re more successful in bypassing firewalls and other defense methods which generally monitor for the common protocols such as TCP, IP and ICMP. One such protocol is Simple Service Discovery Protocol. SSDP is used to advertise and discover plug and play devices. It’s an HTTP-like protocol that uses M-SEARCH and NOTIFY methods.

Researchers have identified a rise in amplification attacks using universal plug and play devices. Hackers develop scripts that scan for the Universal Plug and Play enabled devices and gather a list of vulnerable devices that reply to that initial discovery packet request. The devices then become reflectors for the DDoS attacks. M-SEARCH request packets generate many replies, and the Amplification depends on the contents of the device description file.

In a packet analysis tool such as Wireshark, you can see the signature of the amplification effect as the length in each response amplifies or increases.

No.TimeSourceDestinationProtocolLengthInfo
1330.00000010.50.17.234239.255.255.250SSDP469Notify
1340.00023110.50.17.234239.255.255.250SSDP478Notify
1350.00000110.50.17.234239.255.255.250SSDP515Notify
1360.00108510.50.17.234239.255.255.250SSDP519Notify
1390.10194110.50.17.234239.255.255.250SSDP469Notify
1400.00023310.50.17.234239.255.255.250SSDP478Notify
1410.00000210.50.17.234239.255.255.250SSDP515Notify
1420.00098010.50.17.234239.255.255.250SSDP519Notify

As you can see the length is of the first packet is 469. The second response is 478. The next 515, the next 519. Each time they get a little larger. Then it does it again. 469, 478, 515, and 519.

Infected SSDP traffic will consumes your bandwidth and slowly choke your network.

LIFARS: What can small and medium-sized companies do to prepare for a cyber-attack?

Lisa: Ransomware is a serious problem. Everyone is at risk for becoming a victim of Ransomware, but there are ways to avoid becoming a victim. Protect against Ransomware and other cyberattacks. Think before you click a link. Use strong spam filters. Use anti-malware protection. Don’t “friend” strangers. Backup and store sensitive files in a remote storage facility. Patch and Update. Don’t open suspicious emails. Use a browser-based firewall. Use caution when downloading software from a website. It is a good time to ask if your business has taken the necessary steps to become aware of today’s current cyber threats. Get up to date information on best practices to take to keep you and your organization safe from threats that exist in today’s complex environment.

Read more about ransomware and recent variants at USCERT https://www.us-cert.gov/ncas/alerts/TA16-091A

To learn the basic concepts of IT security, visit here or discover many other courses on Lynda.com.