Hackers Are Stuffing DDoS Attacks with Monero Ransom Notes

March 2, 2018, 11:25 PM UTC

After a few months of relative quiet, DDoS attackers are back in full force.

Over the past week, hackers have launched a number of distributed denial of service attacks, as DDoS attacks are known, against all manner of targets. The attackers have landed on a new method of overloading their target’s servers with faux traffic and taking their websites offline by using so-called memcached servers to massively amplify their strength. (Memcached servers are designed to speed up the performance of certain websites; you can learn more about them in this useful blog post from Cloudflare.)

Github, the code-sharing site, on Wednesday fended off just such a DDoS attack, the biggest ever recorded. The battering clocked in at 1.35 terabytes per second of data aimed at its systems.

Security researchers at Akamai, the Internet performance company that helped Github fight off the attack, told Fortune they’ve noticed something novel some of these recent attacks. Hackers have started stuffing the barrage of Internet traffic with ransom notes.

While it’s common for DDoS attackers to attempt to extort targets with threats and demands for Bitcoin in accompanying emails, a new set of perpetrators has started issuing demands within the inbound flood of attack traffic itself.

In one such example, which Akamai shared with Fortune, a note buried in a deluge of DDoS attack data requested payment in Monero, or XMR, a privacy-focused cryptocurrency that’s been gaining traction in cybercriminal circles. The note reads, “Pay_50_XMR_To…,” the equivalent of more than $16,000, followed by a digital wallet address, which takes the form of a long alphanumeric string.

A ransom note buried in DDoS attack traffic. Courtesy of Akamai
Courtesy of Akamai

“It’s actually like a DDoS attack with a phishing attack with an extortion attack all rolled into one,” says Chad Seaman, a senior engineer on Akamai’s security intelligence response team. “When we saw it we were like, huh, clever bastards.”

“This is a first for us,” adds Lisa Beegle, a senior manager for security intelligence at Akamai. “We’ve seen dozens upon dozens of extortion requests, but never in the payload itself, so to speak.”

Normally, Beegle said, ransom notes wind up in people’s junk or spam folders, where they don’t get much attention. Even though DDoS attackers are trying to knock organizations offline, by stuffing the demands within attack traffic, the attackers are effectively ensuring that security analysts will see them, since the analysts are sure to be poring over incoming packets as they seek to defend themselves.

The Akamai researchers said they can’t tell whether any organizations have coughed up crypto-dough yet. Since the prospective payments would be made in Monero, they are far more difficult to trace than they would be in Bitcoin. (You can read more about the transparency of the Bitcoin blockchain, or shared ledger system, in this Fortune feature from the fall.)

Paying the ransom is essentially never a good idea, Beegle notes, and companies should avoid caving to hackers’ demands. Doing so does not assure that attackers will stop their bombardments; in fact, if word got out that an organization has paid up, then more attackers might try targeting it.

Besides, even the attackers would likely struggle to figure out which victims had paid them, given the anonymity offered by Monero.


If a victim were to deposit the requested amount into the wallet, we doubt the attackers would even know which victim the payment originated from, let alone stop their attacks as a result,” the Akamai researchers write in a blog post. “Even if they could identify who’d sent the payment, we doubt they’d cease attacking their victim as it was never really about the money anyways.”