Blocked DDoS attack volumes up, tech, healthcare and finance most targeted
Second quarter blocked DDoS attack volumes were up more than 40% compared to the same period in 2020, a Radware report reveals. The report provides an overview of DDoS attack trends by industry, as well as across applications and attack types.
Notable takeaways
- On average, a company had to detect and block nearly 5,000 malicious events and a volume of 2.3TB per month during the second quarter of 2021.
- During the second quarter of 2021, the average number of blocked malicious events per company was up more than 30% and the average blocked volume per company increased by more than 40% compared to the second quarter of 2020.
- During the first half of 2021, a company located in the Americas or Europe, the Middle East and Africa (EMEA) had to repel, on average, twice as much volume compared to a company located in in Asia-Pacific (APAC). The Americas and EMEA accounted for about 80% of the blocked attack volume during that same period.
“While large ransomware attacks are capturing headlines, there are other cyber threats that companies need to pay attention to,” said Pascal Geenens, director of threat intelligence for Radware.
“From an increase in DDoS extortion campaigns and DDoS hit-and-run assaults, to a hacktivist group targeting financial organizations in the Middle East, the second quarter saw a concerning amount of cyber activity compared to the activity levels we saw during the same quarter last year. The results of this report should serve as a strong reminder to enterprises that no company is immune from being a target.”
Tech topped most attacked industries
According to the report, the most attacked industry in the quarter was technology, with an average of almost 3,000 attacks per company, followed by healthcare (2,000 attacks per company) and finance (1,350 attacks per company). Attacks in retail, communications and telecommunications averaged between 600 and 1,000 per company.
Gaming averaged more than 400 attacks per company, while an average of approximately 280 attacks targeted government and utility organizations. In terms of blocked volume, retail endured the highest volumes in the second quarter, followed by gaming, telecommunications and technology, which blocked the second, third and fourth highest volumes respectively.
Aggressive burst attacks waged against tech and finance companies
The report also revealed there were notable burst attacks during the second quarter of 2021. These attacks targeted companies in finance and technology. These ‘hit-and-run’ DDoS assaults use repeated short bursts of high-volume attacks and were particularly aggressive in their amplitude (attack size) and frequency (number of bursts per unit of time).
One attack showed multiple consistent 80Gbps bursts, lasting two to three minutes and repeating every four minutes. This resulted in 12 attack bursts of 80Gbps within a 45-minute timeframe.
Ransom denial-of-service campaigns resurge
The second quarter saw a renewed DDoS extortion campaign by an actor posing as Fancy Lazarus. By the end of May, Radware had numerous emergency onboardings of its cloud security services from organizations that received these ransom letters.
Ransom denial-of-service (RDoS) attacks, in which the victim receives a letter with a demand to pay a ransom or become the target of a DDoS attack, have been a persistent component of the DDoS threat landscape since August of 2020.
Malicious scanners exploit vulnerabilities
During the second quarter of 2021, companies, on average, blocked almost 2,000 scan events by unsolicited vulnerability scanners. According to the attack report, of those scans, 40% were performed by potentially malicious scanners looking to actively exploit known vulnerabilities and attack an organization.
Vulnerability scanners are automated tools that allow organizations to check if their networks and applications have security weaknesses that could expose them to attacks.
“Organizations are being challenged by well organized threat actors,” Geenens said. “The window between the disclosing and weaponizing of new vulnerabilities is getting very slim. In some cases, we observed less than 24 hours between a manufacturer publishing a patch and malicious activity trying to exploit the vulnerability.”