Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
Published on September 22, 2015 08:00 UTC by GovCERT.ch (permalink) Last updated on April 29, 2016 08:10 UTC
A new wave of extortion emails has arrived in different Swiss Onlineshops. We have strong indications, that those extortioner are a copycat of Armada Collective. Our recommendations regarding these extortion emails in Switzerland are the same as last year:Do not pay the ransom
Earlier this year, we warned about DD4BC, a hacker group that tried to extort money from high value targets in Switzerland and abroad. While DD4BC is still around, MELANI / GovCERT.ch as well as the Cybercrime Coordination Unit Switzerland (CYCO) did receive several independent reports from hosting Providers in Switzerland recently that they are being blackmailed by a hacker group that calls themselves Armada Collective.
The modus operandi observed was exactly the same as in the case of DD4BC: The Aramda Collective blackmails their victim, demanding 10 BTC (Bitcoins), which is around 2’500 CHF. At the same time, the hackers launch a Distributed Denial of Service Attack (DDoS) against the victim’s web site to demonstrate their power. This demo DDoS attack usually lasts for 15min – 30min, while the bandwidth varies from around 300Mbit/s up to 15GBit/s and occasionally even more.The attackers threats their victim that in case of non-paying, they will launch another, even bigger DDoS attack to bring the victims website down.
The attackers usually send their blackmail from either armadacollective@openmailbox.org or a similar email address at a free email service provider, using the subject "Ransom request: DDOS ATTACK!".
The blackmail may look like this:
From: "Armada Collective" armadacollective@openmailbox.org To: abuse@victimdomain; support@victimdomain; info@victimdomain Subject: Ransom request: DDOS ATTACK! FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION! We are Armada Collective. All your servers will be DDoS-ed starting Friday if you don't pay 20 Bitcoins @ XXX When we say all, we mean all - users will not be able to access sites host with you at all. Right now we will start 15 minutes attack on your site's IP (victims IP address). It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs! If you don't pay by Friday , attack will start, price to stop will increase to 40 BTC and will go up 20 BTC for every day of attack. If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time. This is not a joke. Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help. Prevent it all with just 20 BTC @ XXX Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US! Bitcoin is anonymous, nobody will ever know you cooperated.
In case of Armada Collective, our recommendations are the same as for DD4BC: Rather than give in and pay the Armada Collective a certain amount of Bitcoins, we recommend victims to talk to their Internet Services Provider (ISP) to discuss mitigation techniques, such as IP based rate limiting or (temporary) Geo IP address filter. In addition, MELANI / GovCERT.ch and CYCO recommends to file a criminal complaint at your local police and avoid any communication with the attackers.
Possible mitigation techniques (these have to be discussed with your ISP and / or upstream provider):
MELANI / GovCERT.ch has also published a more detailed set of recommendations to mitigate DDoS attacks. These recommendations are available in German, French, Italian and English.
Massnahmen gegen DDoS Attacken (German): https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-unternehmen/aktuelle-themen/massnahmen-schutz-ddos.html
Mesures à prendre contre les attaques DDoS (French): https://www.melani.admin.ch/melani/fr/home/documentation/listes-de-controle-et-instructions/massnahmen-gegen-ddos-attacken.html
Misure contro attacchi DDoS (Italian): https://www.melani.admin.ch/melani/it/home/dokumentation/liste-di-controllo-e-guide/massnahmen-gegen-ddos-attacken.html
Measures to counter DDoS attacks (English): https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-unternehmen/aktuelle-themen/massnahmen-schutz-ddos.html
Back to top
