Security Experts:

Empty DDoS Threats: Cybercriminal Group is All Bark and No Bite

A new cyber-extortion group going by the name of the Armada Collective is extorting organizations by demanding they pay a ransom in order to avoid being hit by distributed denial of service (DDoS) attacks.

While this doesn’t sound out of the ordinary, the new gang has never actually launched a single DDoS attack, researchers at CloudFlare say. The group started targeting businesses in March and has already managed to extort more than $100,000 from potential victims, although it appears they never carried out an actual attack.

The group’s alleged name is Armada Collective, but its modus operandi doesn’t fully resemble that of the original Armada Collective, which used to launch a small-size DDoS attack against a targeted organization before sending out the threat email to demand a ransom. The new group seems to be only a copycat determined to cash out as much as possible by launching empty threats, researchers suggest.

The threat emails sent by this new group landed in the inboxes of more than 100 CloudFlare customers, but the security firm says that none of them was actually hit by an attack. Moreover, the researchers say they contacted other DDoS mitigation vendors and found that, although their customers too received the threat, no DDoS attack was launched.

In its threat email, the Armada Collective copycat demanded businesses pay a “protection fee” in Bitcoin, but researchers discovered that the group was reusing Bitcoin addresses, meaning that it couldn’t tell whether a specific victim paid or not. Regardless, the extortion emails sent by the cybercriminal gang have been consistent over the last two months.

The requested protection was typically in the range of 10-50 Bitcoin (approximately $4,600 – $23,000), but CloudFlare couldn’t find a correlation between the requested amount and the size of the victim organization.

However, since the group was targeting multiple businesses at the same time and requested them to send the same amount to the same Bitcoin address, there was no way to tell who paid the fee. The attackers treated all victims the same, by attacking none of them, and this explains why CloudFlare's researchers couldn’t track a single DDoS attack launched against organizations that received the extortion emails.

The “original” Armada Collective gang, on the other hand, did carry through with its DDoS threats, yet the group went silent in November last year, after attempting an attack against the encrypted email service ProtonMail (the service might have been attacked by a state-sponsored actor). Usually, the group would launch a small DDoS attack to “prove it can do so,” then threated victims with a second, more powerful attack, if they didn’t pay a ransom.

The Armada Collective group followed the business model established by the DD4BC (DDoS “4” Bitcoin) extortion group, which launched a total of 141 attacks between September 2014 and August 2015, and CloudFlare suggests that the two were one and the same gang. The Armada Collective/DD4BC attackers claimed to be capable of launching 500Gbps DDoS attacks, but mitigation vendors never saw attacks larger than 60Gbps.

As Recorded Future revealed last December, the success that DD4BC and Armada Collective enjoyed inspired other cyber-extortion groups to adopt similar tactics. In January 2016, Operation Pleiades, an international effort from law enforcement agencies, resulted in alleged members of the DD4BC group being arrested.

While the new Armada Collective copycat has yet to prove that it can launch DDoS attacks, doing so is relatively easy. Additionally, there are other DDoS extortion groups that are capable of doing so, and they are not sending empty threats, researchers say. 

Related: DDoS Attacks Continue to Rise in Power and Sophistication

view counter