DDoS Extortionists Are Still Here, Now Threatening to Spread Ransomware

One year after the DDoS extortion campaigns appeared, a group, calling itself Armada Collective, continues scaring website owners with extortion email messages.

Latest known victim of such attack is Etienne Delport from Port Elizabeth, South Africa, the owner of DailyGammon, a website for playing Backgammon online.

A week ago, on September 5th, Delport posted on Twitter the email containing a ransom note, which she dah received from a group posing as Armada Collective.

In the email, the group had written that unless Delport immediately paid 1 Bitcoin ($610) to the address show, she would face 10-300 Gbps DDoS attack the next day. The crooks also warned that if the DDoS had already started and the victim decides she wanted them to stop, the ransom would jump to 20 Bitcoin ($12,150).

Such attacks were first seen last year when a group named DD4BC started using them. This group, however, was arrested by Europol last winter but many other wannabes appeared following their steps. This includes Armada Collective, who`s most lucrative hit was against ProtonMail, when the email provides was forced to pay $6,000 to avoid a huge DDoS attack.

After that, such extortion attacks seemed to slowly go down only to reappear in the winter of 2016 when many companies started complaining they have also been threatened.

Security experts couldn’t prove that the real Armada Collective had been the one responsible for the attacks. However, their number undoubtedly started growing, this time hitting not only huge companies that could afford the high ransom but any website owners as well.

Then, in April this year, CloudFlare detected a group threatening users but never actually launching any DDoS attacks. The group was using a certain list of Bitcoin addresses in its extortion emails and used the names of two, very famous for their huge DDoS attacks, groups – LizardSquad and Armada Collective.

However, no one could tell apart the real Armada Collective ransom emails from all those copycats one, which followed the very successful ProtonMail hit.

This most recent email that Delport received clearly showed that the crooks wanted to incorporate a new wrinkle in their tactics. They tought it would be a great idea to mention the Cerber ransomware in the extortion email, which stated:

All the computers on your network will be attacked for Cerber – Crypto-Ransomware.” – the extortion email reads.

Seeing this has been written in a very broken English, researchers assumed that the group is not a native English speaker. Moreover, they clearly have no idea now the Cerber ransomware actually operates.

A ransomware can`t be installed on a network via DDoS attack. Web servers are usually hosted on Linux computers and Cerber isn’t capable of infecting Linux running machines. To install Cerber on a network, the crooks would need to breach the servers and if they are actually good enough to do that they would sell the internal data on the Dark Web instead of wasting time with emails like this. Their aim was most likely to scare the victim enough to pay the ransom.

Delport said in the interview with IBTimes that she has no intention of paying up. Another victim, Michael O’Connor from Cornwall, UK, also received the same email, revealed also the report.

After checking the Bitcoin wallet shown in the ransom note, researchers saw that no payments have been made. They also googled the “1Pnv9xaEdBFGXzhX6EDo2XAgrDxxdg25WU” address and run across other victims who have shared their ransom notes online. The notes had the same Bitcoin address leading back to the start of this year.

The Bitcoin address from the extortion emails, found by CloudFlare in April, is also the same, tied to the group using the names of both LizardSquad and Armada Collective.

Back then, CloudFlare reported that this phony group didn’t have the technical knowledge to launch a DDoS attack and they were only launching empty threats. However, when Softpedia published an article about the copycat group online, they were as risk on DDoS attack for 12 hours.

Website owners are strongly advised, if they ever receive such extortion email, to use the time between its arrival and the DDoS deadline time to invest in DDoS mitigation services. According to law enforcement, it doesn’t matter if the extortion attempt takes place in cyber- or real world, paying the ransom in neither a good nor a smart option.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.