Over the past week, memcached reflection attacks have taken the DDoS scene by storm. With several attacks hitting organizations across many industries, including a record breaking 1.3Tbps attack against an Akamai customer. Akamai has observed a new trend in extortion attempts using memcached payloads to deliver the message.

Extortion and DDoS

While extortion isn't new to the DDoS world, it's always interesting to see how attackers will leverage it. Earlier pioneers, like DD4BC, would send ominous emails with attack and payment information, dates, and deadlines, along with small attacks, while threatening larger attacks and larger payouts being required to stop them if victim cooperation wasn't satisfactory. This was followed by a slew of copycats and groups who took the shotgun approach, and hoped that someone would take the bait to prevent an attack that was never coming. These actors would often send threatening emails to several large organizations in unison without changing payment or other details. These were empty threats hoping to capitalize on the fears of the organization in an attempt at a quick cash grab.

Extortion and memcached

Memcached has become the new kid on the block in the DDoS world, with widespread and rapid adoption by attackers pushing attacks of all sizes across organizations and industries. As with most powerful attacks, it didn't take long for attackers to come up with ways to turn the threat into a business opportunity.

Fig. 1 memcached DDoS packet with payment request information

These attack payloads were captured during live attacks against multiple customers on the Akamai Prolexic Routed platform. If you look closely, you can see that buried in that attack traffic appears to be an extortion attempt. The attackers insist that the victim pay 50 ($16,000+) Monero (XMR) to the wallet address they've so graciously included. This appears to be in line with similar tactics used with extortion emails. Multiple targets are sent the same message in hopes that any of them will pay the ransom.

How and why?

In the case of memcached attacks, the attackers have the ability to drop payloads onto the memcached server they intend to reflect off of. While most attackers are filling these records with junk, it appears these attackers have decided to load up their payloads with payment amount and wallet address information in the hopes of duping desperate victims into forking over their cold hard crypto-cash.

Keep your money to pay for your bandwidth

The actor/group that appears to be leveraging this technique has used this same attack technique with the same amounts and wallet address against multiple victims in multiple industries. There is no sign to suggest that they are actively tracking the targets reaction to the attacks, no contact information, no detailed instructions on payment notification. If a victim were to deposit the requested amount into the wallet, we doubt the attackers would even know which victim the payment originated from, let alone stop their attacks as a result. Even if they could identify who'd sent the payment, we doubt they'd cease attacking their victim as it was never really about the money anyways.