Analysis: Impact of DD4BC ArrestsWill Takedown Serve as a Deterrent for Copycats?
Will this week's arrests of a "main target" and another suspect tied to the distributed denial-of-service extortion group known as DD4BC, or DDoS for Bitcoin, deter copycats from continuing to wage similar schemes?
See Also: 2016 State of Threat Intelligence Study
Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, is among the experts who don't anticipate a deterrent effect. "Realistically, this a model that is going to be copied," he says. "There has been an explosion in the last six months of extortion and ransomware. And the more notoriety they get for the takedown, the more copycats there will be."
Copycats will thrive, Kellerman contends, because the more extortion attacks that are waged, the more money companies will pay out. "I don't recommend that, but time is money, and companies will pay the extortion to keep their operations up and running," he says.
In contrast, Roland Dobbins of DDoS-mitigation and security firm Arbor Networks argues cyber-extortion is a risky crime, and the arrest of one of DD4BC's apparent leaders might help deter other cyber-extortionists.
"The serial DDoS extortionist model requires that in order to be successful, threat actors must be prolific, must keep a steady stream of attacks and potential targets in the pipeline and must communicate interactively with the victims," he says. "This arrest shows ... that serial DDoS extortionists run a significant risk of being apprehended."
Europol, the European police association, announced this week that law enforcement agencies across the globe, including the U.S. Secret Service, the Federal Bureau of Investigation, Interpol and agencies in Australia and Japan, assisted with the arrests linked to DD4BC (see Europol Announces DD4BC Arrests).
Extortion Attacks Growing
Kellerman believes that a criminal group transitioning from street crime to cybercrime is likely behind DD4BC. And assuming that other members of the group remain at large, it's unlikely that DD4BC - or copycats, for that matter, will not disappear anytime soon, he contends.
"DD4BC has performed attacks against a broad spectrum of organizations, and arresting key operators is obviously an effective way to address that issue for at least the near future," says John Miller, head of the cybercrime intelligence practice at security and analysis firm iSIGHT Partners. "However, we do agree that extortion attacks similar to DD4BC's aren't going to stop just due to this operation. ... DDoS capabilities can be acquired very easily in the e-crime underground, which makes it easy for new participants to become involved in extortive DDoS operations."
Because many extortion attacks are waged from countries that do not have extradition treaties with the U.S., stopping the criminals who wage these attacks will continue to prove challenging, says Al Pascual, head of fraud and security at the consultancy Javelin Strategy & Research.
"This arrest was important from the perspective that it demonstrates to DDoS extortion copycats and other wannabes that they can be gotten," Pascual says. "That said, despite the laudable international cooperation involved here, not every locality is going to play nice. We can expect attacks to continue, unabated, from places typically beyond the reach of law enforcement, such as Russia. This will be the first of many arrests to be sure; but I would caution anyone from believing that the end is in sight, especially with DDoS services so readily available" (see DDoS: 4 Attack Trends to Watch in 2016).
DD4BC, which emerged in mid-2014, has waged numerous Bitcoin extortion attacks against a wide range of businesses, including banking institutions, the online gaming industry, the entertainment industry and other high-profile companies, Europol notes.
Many large organizations across the world have been targeted by DD4BC, but not all have been adversely affected, says Dobbins of Arbor Networks.
"Organizations which were attacked by DD4BC, and other DDoS extortionists, and were prepared weren't affected," he says. "Preparation is key. Never pay."
Dobbins says banking institutions and other companies that conduct a significant amount of business online need to ensure they are continually reviewing and updating their DDoS mitigation strategies to ensure they are prepared for an extortion attack.
Even though a significant DD4BC leader apparently has been arrested, Dobbins says the threats posed by DD4BC are ongoing. "U.S. banks can't take this as a sign to let their guard down," he says. "We've already seen lots of DD4BC copycats over the last year-and-a-half -those pretending to be the 'original' DD4BC as well as threat actors with their own monikers, such as the Armada Collective."