More ransomware gangs are attempting to use Distributed Denial of Service (DDoS) attacks against victims to bring down web services on top of encrypting files and locking computers as an effective means of pressuring the victim company to quickly pay the ransom. Suppose a victim tries to restore from local backups or does not attempt negotiation within a given period. In either of those cases, Avaddonwill launch a DDoS attack as an attempt to instill fear in the affected victims and not stop until payment is provided. This kind of secondary attack has also been seen from the SunCrypt and RagnarLocker ransomware gangs. This new tactic is a definite turn from other high tier ransomware gangs such as REvil, Netwalker, DopplePaymer, Egregor (Maze), and Ryuk. They primarily focus on data exfiltration to force the hand of victims by threatening to release stolen data.
Ransomware operators are experimenting with new ways to put pressure on victims. Whether utilizing stolen data or bringing external assets like web servers to a standstill, organizations need to make sure playbooks and plans are developed to understand what kind of response will be taken when ransomware is affecting an organization. Incorporating a reverse proxy for DDoS protection from services like Cloudflare or Akamai is becoming more common and can offer mitigation against tactics being seen from gangs like Avaddon. As always, investing in continuous endpoint and network monitoring will enable the visibility and quick response times that allows incident response and recovery plans to be more effective and cohesive.