2015-12-09

Unknown Copycat Using Armada Collective Name for DDoS-for-Bitcoin Extortions

Cyber-crime syndicates are moving in, pushing script kiddies out of the picture, expect more large-scale attacks

After the success of DDoSing outfits like DD4BC and Armada Collective, an unknown copycat that's using the Armada Collective name but asking for astronomical payments has appeared.
A report from Recorded Future, a real-time threat intelligence protection company, shows that DDoS-for-Bitcoin extortion schemes are here to stay, with more and more attacks being launched solely for this reason.

DD4BC have launched a new type of extortion scheme

This trend can be tracked down to an Akamai report released over the summer that documented the actions of a hacking group known as DD4BC (DDoS 4 Bitcoin). This group launched DDoS attacks on companies around the world, requesting small payments in Bitcoin for each target.
The group's scheme was a simple one. They would send threatening emails to business owners, saying they would launch powerful DDoS attacks if a ransom was not paid in due time to a specific Bitcoin wallet. To prove their point, a small 15-minute DDoS was launched to showcase their capabilities.
DD4BC's scheme proved to be extremely lucrative and allowed them to rack up Bitcoin over the past year in over 140 DDoS attacks.
The group was active since late 2014 and suddenly stopped its activity after the Akamai report was released, probably to avoid getting caught by law enforcement authorities alerted to their scheme.

Enter Armada Collective

Soon after, the first DD4BC copycat arose, in the form of the Armada Collective hackers, carrying out DDoS attacks on small businesses in Switzerland.
They then expanded to email providers, and their name became known around the world in the famous ProtonMail incident. The incident is very well documented in one of our previous stories, but we'll give you a small summary.
Basically, Armada Collective followed the DD4BC regular tactics, sending an email and launching a small 10-15 Gbps DDoS attack on ProtonMail.
Armada Collective returning ransom to ProtonMail
Armada Collective returning ransom to ProtonMail
As soon as the attack ended, ProtonMail revealed what happened, and more serious attacks took place, with ProtonMail paying the ransom in the end. Armada Collective denied any involvement and even went as far as to return the ProtonMail ransom, putting the blame on a state-sponsored actor with capabilities that far exceeded its own.

Enter the unknown copycat

But something else happened recently that made the Recorded Future team stop and ponder about the bigger picture, and that's the DDoS-for-Bitcoin attacks on three major Greek banks.
With DD4BC and Armada Collective always launching small-scale attacks and requesting modest ransoms (the equivalent of a few thousand dollars), this new group attacking Greek banks does not fit the bill.
While the attacks of DD4BC and Armada Collective seem to be the work of script kiddies, the ones that brought down ProtonMail and the three major Greek banks were massive in scale.
Coupled with the fact that this new group also requests ransoms in the order of millions of dollars, there are clear signs that they are a copycat that's trying to remain hidden by passing as Armada Collective (as stated in the email sent to the Greek banks).
With the number of DDoS-for-Bitcoin attacks on the rise, this type of cyber-threat is about to evolve from the work of script kiddies to the normal MO of larger cyber-criminal syndicates.


via DDoS Attacks