And DDoS extortion campaigns continue to be reported. Two weeks ago, Johannes Ullrich published a diary [1] about a fake DDoS pretending to be sent from Anonymous, threatening the targeted company with a massive attack if they werent paid in Bitcoins. Yesterday we were reportedofa similar extortion campaignalthough, this time,followed by a realDDoStestas promised by thesender.
The threat message seems to be a copy catof an old campaign reported last year in a blog postbyCloudFlare [2]. It was signed by the sameArmada Collectivegroup, as seen below (text was partialy anonymized):
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We areArmada Collective.In past, we launched one of the largest attacks in Switzerlands history. Use Google.
All network of[victims name]will be DDoS-ed starting[date]. if you dont pay 10 Bitcoins @ [bit coin address]When we say all, we mean all – users will not be able to use any of your services.
Right now we will start 15 minutes attack on one of your IPs([victims IP address]). It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. Its just to prove that this is not a hoax. Check your logs!
If you dont pay by [date], attack will start, price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.This is not a joke.
Our attacks are extremely powerful – ourMirai botnetcan reach over 1 Tbps per second. So, no protection will help.
Prevent it all with just 10 BTC @ [bit coin address]
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.
Although the targeted companyhasactually received the DDoS test attack, there are some considerations on the way it was carried out which raise questions about the veracity of the campaign. By analyzing the DDoS test traffic, it was clear that it was sentthroughreflective attack using open NTP services over the Internet and not from a botnet like Mirai, as stated on the message. All the packets came from UDP/123 port (NTP service).
Regardless of the campaign reliability, itsworth ones whileto takesometimeandreview your companys anti-DDoS strategies. On most scenarios, a pre-established agreement with your ISP to filter out volumetric attacks can avoid unpleasant surprises and high costs during emergencies. If you already have the agreement, it would be interesting toput it totestand check if the response time is suitabletoyour business requirements.
Until now,we areunawareof any caseofDDoSbeing launched after those e-mail threatening messages andthere arenoreasonsto pay even though there is no guarantee that theextortion will stop.
If youreceivedsimilar e-mails, please forward it to us.
References:[1] text-decoration:underline”>https://isc.sans.edu/forums/diary/Fake+DDoS+Extortions+Continue+Please+Forward+Us+Any+Threats+You+Have+Received/22550/
[2] text-decoration:underline”>https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/
—
Renato Marinho
Morphus Labs | LinkedIn | Twitter
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.