Story image

Ransom DDoS attacks surged in final quarter of 2021 - report

By Shannon Williams, Wed 12 Jan 2022

Ransom DDoS attacks increased by 29% YoY and 175% QoQ in the last quarter 2021, according to new research from Cloudfare.

The first half of 2021 witnessed massive ransomware and ransom DDoS attack campaigns that interrupted aspects of critical infrastructure around the world (including one of the largest petroleum pipeline system operators in the US) and a vulnerability in IT management software that targeted schools, public sector, travel organisations, and credit unions.

The second half of the year recorded a growing swarm of one of the most powerful botnets deployed (Meris) and record-breaking HTTP DDoS attacks and network-layer attacks observed over the Cloudflare network. This besides the Log4j2 vulnerability (CVE-2021-44228) discovered in December that allows an attacker to execute code on a remote server — arguably one of the most severe vulnerabilities on the Internet since both Heartbleed and Shellshock.

Prominent attacks such as the ones listed above are but a few examples that demonstrate a trend of intensifying cyber-insecurity that affected everyone, from tech firms and government organisations to wineries and meat processing plants.

According to Cloudfare,Q4 21 was the busiest quarter for attackers in 2021. In December 2021 alone, there were more than all the attacks observed in Q1 and Q2 21 separately. And one out of every three survey respondents reported being targeted by a ransom DDoS attack or threatened by the attacker.

While the majority of attacks were small, terabit-strong attacks became the new norm in the second half of 2021. Cloudflare automatically mitigated dozens of attacks peaking over 1 Tbps, with the largest one peaking just under 2 Tbps — the largest the company says it has ever seen.

The Manufacturing industry was the most attacked in Q4 21, recording a whopping 641% increase QoQ in the number of attacks. The Business Services and Gaming/Gambling industries were the second and third most targeted industries by application-layer DDoS attacks.

Q4 21, and November specifically, recorded a persistent ransom DDoS campaign against VoIP providers around the world.
 
For the fourth time in a row this year, China topped the charts with the highest percentage of attack traffic originating from its networks.

Attacks originating from Moldova quadrupled in Q4 ’21 QoQ, making it the country with the highest percentage of network-layer DDoS activity.

A new botnet called the Meris botnet emerged in mid-2021 and continued to bombard organisations around the world, launching some of the largest HTTP attacks on record — including a 17.2M rps attack that Cloudflare automatically mitigated.

This research is based on DDoS attacks that were automatically detected and mitigated by Cloudflare’s DDoS Protection systems.

To analyze attack trends, Cloudflare calculates the “DDoS activity” rate, which is the percentage of attack traffic out of the total traffic (attack + clean) observed over its global network. Measuring attack numbers as a percentage of the total traffic observed allows Cloudflare to normalise data points and avoid biases reflected in absolute numbers towards, for example, a Cloudflare data centre that receives more total traffic and likely, also more attacks.

Recent stories
More stories