Armada Collective blackmails Swiss Hosting Providers

Published on 2015-09-22 08:00:00 UTC by GovCERT.ch (permalink)
Last updated on 2016-04-29 08:10:05 UTC

UPDATE 2016-04-27

A new wave of extortion emails has arrived in different Swiss Onlineshops. We have strong indications, that those extortioner are a copycat of Armada Collective.
Our recommendations regarding these extortion emails in Switzerland are the same as last year:
Do not pay the ransom

-------------------------------------------

Earlier this year, we warned about DD4BC, a hacker group that tried to extort money from high value targets in Switzerland and abroad. While DD4BC is still around, MELANI / GovCERT.ch as well as the Cybercrime Coordination Unit Switzerland (CYCO) did receive several independent reports from hosting Providers in Switzerland recently that they are being blackmailed by a hacker group that calls themselves Armada Collective.

The modus operandi observed was exactly the same as in the case of DD4BC: The Aramda Collective blackmails their victim, demanding 10 BTC (Bitcoins), which is around 2’500 CHF. At the same time, the hackers launch a Distributed Denial of Service Attack (DDoS) against the victim’s web site to demonstrate their power. This demo DDoS attack usually lasts for 15min – 30min, while the bandwidth varies from around 300Mbit/s up to 15GBit/s and occasionally even more.The attackers threats their victim that in case of non-paying, they will launch another, even bigger DDoS attack to bring the victims website down.

The attackers usually send their blackmail from either armadacollective@openmailbox.org or a similar email address at a free email service provider, using the subject "Ransom request: DDOS ATTACK!".

The blackmail may look like this:

From: "Armada Collective" armadacollective@openmailbox.org
To: abuse@victimdomain; support@victimdomain; info@victimdomain
Subject: Ransom request: DDOS ATTACK!

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.

All your servers will be DDoS-ed starting Friday if you don't pay 20 Bitcoins @ XXX

When we say all, we mean all - users will not be able to access sites host with you at all.

Right now we will start 15 minutes attack on your site's IP (victims IP address). It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!

If you don't pay by Friday , attack will start, price to stop will increase to 40 BTC and will go up 20 BTC for every day of attack.

If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.

This is not a joke.

Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.

Prevent it all with just 20 BTC @ XXX

Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.

In case of Armada Collective, our recommendations are the same as for DD4BC: Rather than give in and pay the Armada Collective a certain amount of Bitcoins, we recommend victims to talk to their Internet Services Provider (ISP) to discuss mitigation techniques, such as IP based rate limiting or (temporary) Geo IP address filter. In addition, MELANI / GovCERT.ch and CYCO recommends to file a criminal complaint at your local police and avoid any communication with the attackers.

Possible mitigation techniques (these have to be discussed with your ISP and / or upstream provider):

  • If you are only doing business in Switzerland, you might want to consider to implement a (temporary) Geo IP filter in order to only allow connections from Swiss IP space
  • To mitigate TCP SYN floods and layer 7 based attacks (e.g. HTTP flood), you may want to implement rate limiting based on the source IP address
  • Most websites are hosted on servers that are only running a webservice. Hence there is no reason to allow any UDP traffic towards your webserver. You may want to consider dropping any UDP traffic towards your webserver at your or your ISPs network edge
  • If you are hosting critical infrastructure on the same network than your website, you should consider to move your website to a different network or an anti DDoS provider

MELANI / GovCERT.ch has also published a more detailed set of recommendations to mitigate DDoS attacks. These recommendations are available in German, French, Italian and English.

Massnahmen gegen DDoS Attacken (German):
https://www.melani.admin.ch/melani/de/home/dokumentation/checklisten-und-anleitungen/massnahmen-gegen-ddos-attacken.html

Mesures à prendre contre les attaques DDoS (French):
https://www.melani.admin.ch/melani/fr/home/documentation/listes-de-controle-et-instructions/massnahmen-gegen-ddos-attacken.html

Misure contro attacchi DDoS (Italian):
https://www.melani.admin.ch/melani/it/home/dokumentation/liste-di-controllo-e-guide/massnahmen-gegen-ddos-attacken.html

Measures to counter DDoS attacks (English):
https://www.melani.admin.ch/melani/en/home/dokumentation/checklists-and-instructions/massnahmen-gegen-ddos-attacken.html

Share on Twitter Share on Facebook

Back to top