Connect with us

Hi, what are you looking for?



DDoS Extorters Claim to Be Armada Collective, Fancy Bear

Cybercriminals claiming to represent well-known threat groups such as Fancy Bear and Armada Collective have been threatening organizations with distributed denial of service (DDoS) attacks, Akamai warns.

Cybercriminals claiming to represent well-known threat groups such as Fancy Bear and Armada Collective have been threatening organizations with distributed denial of service (DDoS) attacks, Akamai warns.

The attacks started roughly a week ago and are targeting a variety of sectors, including financial and retail, attempting to extort large sums of money from potential victims.

Similar to extortion groups that operated in the past, the attackers would contact victim companies warning them of an imminent DDoS attack on their infrastructure, unless a ransom was paid.

The extortion messages are similar to those observed in previous incidents and in some cases warn the victim that, should the extortion demand be disclosed publicly, the DDoS attack would begin immediately.

“If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time. (sic),” an extortion letter supposedly coming from Armada Collective reads.

“…your websites and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation among your customers. […] We will completely destroy your reputation and make sure your services will remain offline until you pay. (sic),” a message allegedly sent by Fancy Bear states.

The group claiming to be Armada Collective asks victims to pay a 5 BTC ransom, or 10 BTC after the deadline is reached. They also note that the amount will increase by 5 BTC per day, until the ransom is paid.

The attackers that call themselves Fancy Bear ask victims to pay 20 BTC in ransom, or 30 BTC if the deadline is missed. The amount would increase by 10 BTC for each day thereafter.

Advertisement. Scroll to continue reading.

In some of the letters, the attackers claim to be able to launch DDoS attacks of up to 2 Tbps.

According to Akamai, the extortion attempts are likely the work of copycat groups, and not that of the two well-known adversaries.

“The Akamai SIRT suspects the extortion demands are originating from copycats using the reputation of known attack groups as a means of intimidation in order to expedite payment,” Akamai notes, recommending that organizations refrain from paying any ransom.

Armada Collective, an extortion group that was highly active five years ago, has inspired several copycat groups, some of them observed in late 2015 and throughout 2016.

Also referred to as APT 28, Pawn Storm, Strontium, Sednit, and Tsar Team, Fancy Bear is a cyber-espionage group linked to the Russian government. In fact, the United States says it is a military unit of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Related: Akamai Mitigates Record 809 MPPS DDoS Attack

Related: T-Mobile Outage Mistaken for Massive DDoS Attack on U.S.

Related: NXNSAttack: New DNS Vulnerability Allows Big DDoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights