Connect with us

Hi, what are you looking for?



DDoS Extorters Claim to Be Armada Collective, Fancy Bear

Cybercriminals claiming to represent well-known threat groups such as Fancy Bear and Armada Collective have been threatening organizations with distributed denial of service (DDoS) attacks, Akamai warns.

Cybercriminals claiming to represent well-known threat groups such as Fancy Bear and Armada Collective have been threatening organizations with distributed denial of service (DDoS) attacks, Akamai warns.

The attacks started roughly a week ago and are targeting a variety of sectors, including financial and retail, attempting to extort large sums of money from potential victims.

Similar to extortion groups that operated in the past, the attackers would contact victim companies warning them of an imminent DDoS attack on their infrastructure, unless a ransom was paid.

The extortion messages are similar to those observed in previous incidents and in some cases warn the victim that, should the extortion demand be disclosed publicly, the DDoS attack would begin immediately.

“If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time. (sic),” an extortion letter supposedly coming from Armada Collective reads.

“…your websites and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation among your customers. […] We will completely destroy your reputation and make sure your services will remain offline until you pay. (sic),” a message allegedly sent by Fancy Bear states.

The group claiming to be Armada Collective asks victims to pay a 5 BTC ransom, or 10 BTC after the deadline is reached. They also note that the amount will increase by 5 BTC per day, until the ransom is paid.

Advertisement. Scroll to continue reading.

The attackers that call themselves Fancy Bear ask victims to pay 20 BTC in ransom, or 30 BTC if the deadline is missed. The amount would increase by 10 BTC for each day thereafter.

In some of the letters, the attackers claim to be able to launch DDoS attacks of up to 2 Tbps.

According to Akamai, the extortion attempts are likely the work of copycat groups, and not that of the two well-known adversaries.

“The Akamai SIRT suspects the extortion demands are originating from copycats using the reputation of known attack groups as a means of intimidation in order to expedite payment,” Akamai notes, recommending that organizations refrain from paying any ransom.

Armada Collective, an extortion group that was highly active five years ago, has inspired several copycat groups, some of them observed in late 2015 and throughout 2016.

Also referred to as APT 28, Pawn Storm, Strontium, Sednit, and Tsar Team, Fancy Bear is a cyber-espionage group linked to the Russian government. In fact, the United States says it is a military unit of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Related: Akamai Mitigates Record 809 MPPS DDoS Attack

Related: T-Mobile Outage Mistaken for Massive DDoS Attack on U.S.

Related: NXNSAttack: New DNS Vulnerability Allows Big DDoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...