Using news reports as a source of intelligence

Steve Townsley | 24 February 2016

It’s often tempting to overplay the importance of exploring dark and deep web sources in providing intelligence value. However, there’s much we can learn from mainstream news reporting, when viewed through an analytical lens. 

It was reported recently by the security company Incapsula that 34 of their florist customers had experienced distributed denial of service (DDoS) attacks prior to Valentine’s Day, one of which reported that they received a ransom note. Apart from being a great excuse as to why you didn't buy your loved one flowers for this holiday, these attacks hit on one of the busiest days for the floral industry of the year, and caused a “great loss of revenue.”

With a lack of information, and alternative hypotheses, let’s assume that all the attacks were DDoS extortion (a minor leap of faith!). What does this mean for organizations?Well, DDoS extortion isn't new, but traditionally it has targeted organizations with significant dependencies on their online availability. Gambling sites prior to a big match, cloud services, and online banking have all experienced DDoS extortion. If you look at this trend we can see the choice of targets attacked by DDoS extortion diversifying to include lower level organizations. In this case, we can point to clear actionable points for organizations. Organizations need to identify these dates and ensure they have sufficient countermeasures in place.

News reports aren’t always accurate to begin with, however. Take the example of the hospital that was infected by ransomware and purportedly involved a “$3.6m ransom.” At Digital Shadows, our analysts are born to be skeptical and this set our alarm bells ringing. In contrast to the extraordinarily large extortion demand was a statement from the CEO of the hospital that said the attack was random. Typical ransomware demands are in the region of $500 and campaigns are usually designed to cast the net wide by infecting as many as possible, in the hope that some will pay. Random demands would be highly unlikely to ask for that much ­– the costs would be just too high to justify.

Furthermore, it is important to note that the alleged source of the large demand was an unnamed “computer consultant reported to be local to the hospital.” Part of intelligence tradecraft is to evaluate sources and, without speaking directly to this one, we were unable to judge his reliability. When this claim first emerged, our analysts were quick to assess a realistic possibility that the reported ransom demand was overstated.

Two days later, the hospital made a public statement – the actual ransom demand was closer to $17,000, somewhat lower than first suggested but still extremely high. This raised the question: was this a targeted attack, or was this a case of multiple infections across multiple machines? We still don’t know.

However, the decision of the hospital to make their ransom payment public, well that was significant. Our analysts were unable to point to a public admission of such a high extortion demand. The most recent example of this occurred at the end of last year, when Protonmail publicly acknowledged a payment to the Armada Collective, a DDoS extortion group.

So, after casting a critical eye on the initial news reports, what does this all mean for extortion? The likely answer is that it may encourage others to commence targeted ransomware campaigns – something that, despite the limited technical barriers to this, has not been previously observed by Digital Shadows. Does this episode mark the start of new era of targeted ransomware against businesses? Only time will tell, but the public disclosure of this ransom payment may set and worrying precedent and serve to encourage the use of this tactic.