Bad Actors Innovate, Extort & Launch 9.7M DDoS Attacks


In March 2022 we released our 2H 2021 Threat Intelligence Report. The report covers worldwide distributed denial-of-service (DDoS) attack activity during 2021—particularly during the second half of the year. As always, it’s chock-full of DDoS attack statistics, trends, and insights from our elite NETSCOUT ATLAS Security Engineering and Research Team (ASERT).

Key findings include:

  • DDoS attacks continued to exceed pre-pandemic levels. During the second half of 2021, cybercriminals launched approximately 4.4 million DDoS attacks, bringing the total number of DDoS attacks in 2021 to 9.75 million. These attacks represent a 3 percent decrease from the record number set during the height of the pandemic but continue at a pace that’s 14 percent above pre-pandemic levels.
  • DDoS extortion and ransomware operations increased. Three high-profile DDoS extortion campaigns simultaneously operating worldwide is a new high. Ransomware gangs including Avaddon, REvil, BlackCat, AvosLocker, and Suncrypt were observed using DDoS to extort victims. The number of triple extortion attacks consisting of DDoS, data theft, and ransomware also increased in 2021.
  • VoIP services were targets of DDoS extortion. Worldwide DDoS extortion attack campaigns from the REvil copycat were waged against several Voice Over Internet Protocol (VoIP) services providers, costing millions of dollars of damage.
  • DDoS-for-hire services made attacks easy to launch. NETSCOUT ASERT examined 19 DDoS-for-hire services and their capabilities that eliminate the technical requirements and cost (e.g., some are free) of launching massive DDoS attacks.
  • Server-class botnet armies arrived. Cybercriminals have not only increased the number of Internet of Things (IoT) botnets but also have conscripted high-powered servers and high-capacity network devices, as seen with the GitMirai, Meris, and Dvinis botnets.
  • Direct-path attacks are gaining in popularity. Adversaries inundated organizations with TCP- and UDP-based floods, otherwise known as direct-path or non-spoofed attacks.
  • Attackers targeted select industries. Those hardest hit include software publishers (606% increase); insurance agencies and brokers (257% increase); computer manufacturers (162% increase); and colleges, universities, and professional schools (102% increase).

The unique content in this report is valuable and can be used to gain situational awareness of DDoS attack trends and bad-actor tactics, techniques, and procedures, enabling you to prepare your defenses adequately.

This knowledge is particularly important now, for as we release this report amid the Russian-Ukrainian conflict, we are again reminded of and observe the common use of DDoS attacks as a form of geopolitical protest and cyberwarfare.

Find the report, explore a real-time and historical view of global DDoS attack activity, and view additional resources on the NETSCOUT Omnis Threat Horizon portal.


By Staff Writer.