With some members of the so-called Armada Collective in jail, another actor has decided to co-opt their technique of sending threatening DDoS extortion messages to businesses worldwide.
Only difference is, this group isn’t following through with its threat, and it’s still collecting serious money.
A blog post from CloudFlare CEO Matthew Prince says that the group has pocketed more than $100,000 without throwing a punch in anger.
“To date, we’ve not seen a single attack launched against a threatened organization. This is in spite of nearly all of the threatened organizations we’re aware of not paying the extortion fee,” Prince said. “We’ve compared notes with fellow DDoS mitigation vendors and none of them have seen any attacks launched since March against organizations that have received Armada Collective threats.”
Key members of the Armada Collective, also known as DD4BC (DDoS for Bitcoin), were put away in January by Europol during Operation Pleiades. The group had extorted virtual coins from businesses for more than two years before the arrests. According to reports from Akamai and Recorded Future, the group would threaten DDoS attacks of a significant magnitude—anywhere from 500 Gbps and 1 terabyte-per-second—but usually followed through with smaller attacks.
The current threats are finding success without having to go the DDoS route.
“While the actual members of the original Armada Collective appear locked up in a European jail, with little more than some Bitcoin addresses and an email account some enterprising individuals are drafting off the group’s original name, sowing fear, and collecting hundreds of thousands of extorted dollars,” Prince said.
CloudFlare said it has been seeing similar emails from the group sent to a number of customers that identify themselves as the Armada Collective and threatening a DDoS attack by a certain date if a “protection fee” isn’t paid in Bitcoin.
“If you don’t pay by [date], attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack. This is not a joke,” says the note.
The emails threaten 1 Tbps attacks that will elude detection, and demand anywhere from 10 to 50 Bitcoin in payment; 50 Bitcoin is approximately $23,000 USD.
“While the message states that the attackers will know who has paid, we’ve seen several examples of multiple victims being targeted during the same time period and asked to send the same amount to the same Bitcoin address,” Prince said. “Since Bitcoin is, as the message correctly notes, anonymous, this means that there is no way for the attacker to tell who has paid the extortion fee and who has not.”