BELGRADE – Beginning in March 2016, Cloudflare team began hearing reports of a gang of cybercriminals once again calling themselves the Armada Collective. The calling card of the gang was an extortion email sent to a wide variety of online businesses threatening to launch DDoS attacks if they weren’t paid in Bitcoin.
More than 100 existing and prospective CloudFlare customers had received the Armada Collective’s emailed threats. According to Cloudflare, they have also compared notes with other DDoS mitigation vendors with customers that had received similar threats.
Their conclusion was a bit of a surprise: Cloudflare has been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack. In fact, because the extortion emails reuse Bitcoin addresses, there’s no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments.
The extortion emails sent by the Armada Collective have been remarkably consistent over the last two months. Here’s an example:
To: [Victim Org's Role Account] From: [email protected] Subject: DDOS ATTACK!! FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION! We are Armada Collective. http://lmgtfy.com/?q=Armada+Collective Your network will be DDoS-ed starting [date] if you don't pay protection fee - 10 Bitcoins @ [Bitcoin Address]. If you don't pay by [date], attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack. This is not a joke. Our attacks are extremely powerful - sometimes over 1 Tbps per second. And we pass CloudFlare and others remote protections! So, no cheap protection will help. Prevent it all with just 10 BTC @ [Bitcoin Address] Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US! Bitcoin is anonymous, nobody will ever know you cooperated.
“Protection fee” request ranged from 10 – 50 Bitcoin (approximately USD$4,600 – USD$23,000 based on BTC to USD exchange rates as of 25 April 2016). There does not appear to be any correlation of the amount requested and the size or financial resources of the threatened victim.
While the message states that the attackers will know who has paid, Cloudflare seen several examples of multiple victims being targeted during the same time period and asked to send the same amount to the same Bitcoin address. Since Bitcoin is, as the message correctly notes, anonymous, this means that there is no way for the attacker to tell who has paid the extortion fee and who has not.
Given that the attackers can’t tell who has paid the extortion fee and who has not, it is perhaps not surprising to learn that they appear to treat all victims the same: attacking none of them. To date, not a single attack has been launched against a threatened organization.
Unfortunately, in spite of the lack of actual DDoS follow through, it appears that many victims are paying the extortion fee. A security analyst from the Bitcoin analysis firm Chainalysis studied payments sent to the Armada Collective’s Bitcoin addresses and concluded that more than USD$100,000 has been sent to the attackers by victims.
This is not the first group to call themselves the Armada Collective. Unlike the current incarnation, the original Armada Collective did carry through on their DDoS threats. That group went silent in November 2015. It’s suspected that “Armada Collective” was originally one of the names used by the DD4BC DDoS extortion group. Alleged members of DD4BC were arrested in January 2016 as part of Europol’s Operation Pleiades.
The original Armada Collective/DD4BC attackers claimed the ability to generate 500Gbps DDoS attacks. In reality, Cloudflare and other DDoS mitigation vendors never saw attacks larger than 60Gbps. Regardless, CloudFlare successfully mitigated all of the original group’s attacks targeting their customers, perhaps prompting the Copycat Armada Collective to double the size of their claimed attack capacity to 1Tbps and call CloudFlare out by name in their new threats. According to Cloudflare, they have plenty of capacity to stop even an attack that large if it ever turns out to be anything more than hypothetical.
While the actual members of the original Armada Collective appear locked up in a European jail, with little more than some Bitcoin addresses and an email account some enterprising individuals are drafting off the group’s original name, sowing fear, and collecting hundreds of thousands of extorted dollars.
After terrorizing companies under the fake Armada Collective moniker, the same group appears to have switched to using the name of the infamous Lizard Squad hacking crew.
It’s important to note that not all DDoS extortion threats are empty. There are several groups currently sending out extortion emails that actually do follow through on their threats.
However, if you ever receive a threat and want to know more about the group, don’t hesitate to contact Cloudflare team, if your website is on their network.