Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Empty DDoS Threats: Cybercriminal Group is All Bark and No Bite

A new cyber-extortion group going by the name of the Armada Collective is extorting organizations by demanding they pay a ransom in order to avoid being hit by distributed denial of service (DDoS) attacks.

A new cyber-extortion group going by the name of the Armada Collective is extorting organizations by demanding they pay a ransom in order to avoid being hit by distributed denial of service (DDoS) attacks.

While this doesn’t sound out of the ordinary, the new gang has never actually launched a single DDoS attack, researchers at CloudFlare say. The group started targeting businesses in March and has already managed to extort more than $100,000 from potential victims, although it appears they never carried out an actual attack.

The group’s alleged name is Armada Collective, but its modus operandi doesn’t fully resemble that of the original Armada Collective, which used to launch a small-size DDoS attack against a targeted organization before sending out the threat email to demand a ransom. The new group seems to be only a copycat determined to cash out as much as possible by launching empty threats, researchers suggest.

The threat emails sent by this new group landed in the inboxes of more than 100 CloudFlare customers, but the security firm says that none of them was actually hit by an attack. Moreover, the researchers say they contacted other DDoS mitigation vendors and found that, although their customers too received the threat, no DDoS attack was launched.

In its threat email, the Armada Collective copycat demanded businesses pay a “protection fee” in Bitcoin, but researchers discovered that the group was reusing Bitcoin addresses, meaning that it couldn’t tell whether a specific victim paid or not. Regardless, the extortion emails sent by the cybercriminal gang have been consistent over the last two months.

The requested protection was typically in the range of 10-50 Bitcoin (approximately $4,600 – $23,000), but CloudFlare couldn’t find a correlation between the requested amount and the size of the victim organization.

However, since the group was targeting multiple businesses at the same time and requested them to send the same amount to the same Bitcoin address, there was no way to tell who paid the fee. The attackers treated all victims the same, by attacking none of them, and this explains why CloudFlare’s researchers couldn’t track a single DDoS attack launched against organizations that received the extortion emails.

The “original” Armada Collective gang, on the other hand, did carry through with its DDoS threats, yet the group went silent in November last year, after attempting an attack against the encrypted email service ProtonMail (the service might have been attacked by a state-sponsored actor). Usually, the group would launch a small DDoS attack to “prove it can do so,” then threated victims with a second, more powerful attack, if they didn’t pay a ransom.

Advertisement. Scroll to continue reading.

The Armada Collective group followed the business model established by the DD4BC (DDoS “4” Bitcoin) extortion group, which launched a total of 141 attacks between September 2014 and August 2015, and CloudFlare suggests that the two were one and the same gang. The Armada Collective/DD4BC attackers claimed to be capable of launching 500Gbps DDoS attacks, but mitigation vendors never saw attacks larger than 60Gbps.

As Recorded Future revealed last December, the success that DD4BC and Armada Collective enjoyed inspired other cyber-extortion groups to adopt similar tactics. In January 2016, Operation Pleiades, an international effort from law enforcement agencies, resulted in alleged members of the DD4BC group being arrested.

While the new Armada Collective copycat has yet to prove that it can launch DDoS attacks, doing so is relatively easy. Additionally, there are other DDoS extortion groups that are capable of doing so, and they are not sending empty threats, researchers say. 

Related: DDoS Attacks Continue to Rise in Power and Sophistication

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...