Armada Collective is back, extorting Financial Institutions in Switzerland

Published on 2016-03-11 10:30:00 UTC by GovCERT.ch (permalink)
Last updated on 2016-04-27 06:54:59 UTC

UPDATE 2016-04-27 07:00 UTC

A new wave of extortion emails has arrived in different Swiss Onlineshops. We have strong indications, that those extortioner are a copycat of Armada Collective.
Our recommendations regarding these extortion emails in Switzerland are the same as last year:
Do not pay the ransom

-------------------------------------------

In September 2015, we’ve blogged about a hacker group called Armada Collective that was blackmailing hosting providers in Switzerland ("DDoS for bitcoin"). A few days ago, MELANI / GovCERT.ch started to receive reports from financial institutions in Switzerland that received a blackmail from a group that pretends to be Armada Collective. MELANI / GovCERT.ch is aware that dozens of financial institutions in Switzerland are target of similar extortion attempts. We do not know if these extortion emails originate from the Armada Collective or not. It is possible that these originate from a copycat. However, the emails that have been sent out to financial institutions in Switzerland look very similar to what we have seen in September 2015 being sent to hosting providers in Switzerland.

From: Armada Collective
Subject: DDOS ATTACK!!!
Date: Wed, 9 Mar 2016 XX:XX:XX +0000

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.
http://www.govcert.admin.ch/blog/14/armada-collective-blackmails-swiss-hosting-providers

All your servers will be DDoS-ed starting Monday (March 14) if you
don't pay protection - 25 Bitcoins @
17j7onEtLgS2pd6qLekKQCteqTrnAFXZVS
If you don't pay by Monday, attack will start, price to stop will
increase to 50 BTC and will go up 20 BTC for every day of attack.

This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second.
So, no cheap protection will help.

Prevent it all with just 25 BTC @ 17j7onEtLgS2pd6qLekKQCteqTrnAFXZVS

Do not reply, we will not read. Pay and we will know its you. AND YOU
WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

These extortion emails usually originate from free email service providers (such as Gmail or Openmail) and are being sent to the info@ email address of the targeted financial institution. Unlike the extortion attempts conducted by Armada Collective in September 2015, we are not aware of any "Demo DDoS attacks" against the blackmailed organizations at the time being. Also, the amount of money (or better said, bitcoins) the blackmailed organization should pay to Armada Collective apparently increased from 20 bitcoins to 25 bitcoins (which is currently around CHF 10’525). A further slight difference to earlier campaigns is the parallelism of extortion demands and multiple reuse of the same bitcoin address. This leads to the assumption the attackers hope that someone pays on the first demand and they do not plan to actually DDoS all the potential victims. Nevertheless a few exemplary attacks on some organisation should be expected.

What surprised us is the fact that at least some of the extortion emails contain a link to our previous blog post about Armada Collective on GovCERT.ch. However, not all extortion emails contain this link: Some are simply pointing to http://lmgtfy.com/?q=Armada+Collective

Our recommendations regarding the recent extortions against financial institutions in Switzerland are the same as last year: Do not pay the ransom

Possible mitigation techniques (these have to be discussed with your ISP and / or upstream provider):

  • To mitigate TCP SYN floods and layer 7 based attacks (e.g. HTTP flood), you may want to implement rate limiting based on the source IP address
  • Most websites are hosted on servers that are only running a web service. Hence there is no reason to allow any UDP traffic towards your webserver. You may want to consider dropping any UDP traffic towards your webserver at your or your ISPs network edge
  • If you are hosting critical infrastructure on the same network than your website, you should consider to move your website to a different network or an anti DDoS provider

MELANI / GovCERT.ch has also published a more detailed set of recommendations to mitigate DDoS attacks. These recommendations are available in German, French, Italian and English.

Massnahmen gegen DDoS Attacken (German):
https://www.melani.admin.ch/melani/de/home/dokumentation/checklisten-und-anleitungen/massnahmen-gegen-ddos-attacken.html

Mesures à prendre contre les attaques DDoS (French):
https://www.melani.admin.ch/melani/fr/home/documentation/listes-de-controle-et-instructions/massnahmen-gegen-ddos-attacken.html

Misure contro attacchi DDoS (Italian):
https://www.melani.admin.ch/melani/it/home/dokumentation/liste-di-controllo-e-guide/massnahmen-gegen-ddos-attacken.html

Measures to counter DDoS attacks (English):
https://www.melani.admin.ch/melani/en/home/dokumentation/checklists-and-instructions/massnahmen-gegen-ddos-attacken.html

Further reading about Armada Collective:

Armada Collective blackmails Swiss Hosting Providers:
http://www.govcert.admin.ch/blog/14/armada-collective-blackmails-swiss-hosting-providers

Update on Armada Collective extort Swiss Hosting Providers:
http://www.govcert.admin.ch/blog/15/update-on-armada-collective-extort-swiss-hosting-providers

Share on Twitter Share on Facebook

Back to top