Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
Published on March 11, 2016 10:30 UTC by GovCERT.ch (permalink) Last updated on April 27, 2016 06:54 UTC
A new wave of extortion emails has arrived in different Swiss Onlineshops. We have strong indications, that those extortioner are a copycat of Armada Collective. Our recommendations regarding these extortion emails in Switzerland are the same as last year:Do not pay the ransom
In September 2015, we’ve blogged about a hacker group called Armada Collective that was blackmailing hosting providers in Switzerland ("DDoS for bitcoin"). A few days ago, MELANI / GovCERT.ch started to receive reports from financial institutions in Switzerland that received a blackmail from a group that pretends to be Armada Collective. MELANI / GovCERT.ch is aware that dozens of financial institutions in Switzerland are target of similar extortion attempts. We do not know if these extortion emails originate from the Armada Collective or not. It is possible that these originate from a copycat. However, the emails that have been sent out to financial institutions in Switzerland look very similar to what we have seen in September 2015 being sent to hosting providers in Switzerland.
From: Armada Collective Subject: DDOS ATTACK!!! Date: Wed, 9 Mar 2016 XX:XX:XX +0000 FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION! We are Armada Collective. http://www.govcert.admin.ch/blog/14/armada-collective-blackmails-swiss-hosting-providers All your servers will be DDoS-ed starting Monday (March 14) if you don't pay protection - 25 Bitcoins @ 17j7onEtLgS2pd6qLekKQCteqTrnAFXZVS If you don't pay by Monday, attack will start, price to stop will increase to 50 BTC and will go up 20 BTC for every day of attack. This is not a joke. Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help. Prevent it all with just 25 BTC @ 17j7onEtLgS2pd6qLekKQCteqTrnAFXZVS Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US! Bitcoin is anonymous, nobody will ever know you cooperated.
These extortion emails usually originate from free email service providers (such as Gmail or Openmail) and are being sent to the info@ email address of the targeted financial institution. Unlike the extortion attempts conducted by Armada Collective in September 2015, we are not aware of any "Demo DDoS attacks" against the blackmailed organizations at the time being. Also, the amount of money (or better said, bitcoins) the blackmailed organization should pay to Armada Collective apparently increased from 20 bitcoins to 25 bitcoins (which is currently around CHF 10’525). A further slight difference to earlier campaigns is the parallelism of extortion demands and multiple reuse of the same bitcoin address. This leads to the assumption the attackers hope that someone pays on the first demand and they do not plan to actually DDoS all the potential victims. Nevertheless a few exemplary attacks on some organisation should be expected.
What surprised us is the fact that at least some of the extortion emails contain a link to our previous blog post about Armada Collective on GovCERT.ch. However, not all extortion emails contain this link: Some are simply pointing to http://lmgtfy.com/?q=Armada+Collective
Our recommendations regarding the recent extortions against financial institutions in Switzerland are the same as last year: Do not pay the ransom
Possible mitigation techniques (these have to be discussed with your ISP and / or upstream provider):
MELANI / GovCERT.ch has also published a more detailed set of recommendations to mitigate DDoS attacks. These recommendations are available in German, French, Italian and English.
Massnahmen gegen DDoS Attacken (German): https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-unternehmen/aktuelle-themen/massnahmen-schutz-ddos.html
Mesures à prendre contre les attaques DDoS (French): https://www.melani.admin.ch/melani/fr/home/documentation/listes-de-controle-et-instructions/massnahmen-gegen-ddos-attacken.html
Misure contro attacchi DDoS (Italian): https://www.melani.admin.ch/melani/it/home/dokumentation/liste-di-controllo-e-guide/massnahmen-gegen-ddos-attacken.html
Measures to counter DDoS attacks (English): https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-unternehmen/aktuelle-themen/massnahmen-schutz-ddos.html
Further reading about Armada Collective:
Armada Collective blackmails Swiss Hosting Providers: http://www.govcert.admin.ch/blog/14/armada-collective-blackmails-swiss-hosting-providers
Update on Armada Collective extort Swiss Hosting Providers: http://www.govcert.admin.ch/blog/15/update-on-armada-collective-extort-swiss-hosting-providers
Back to top
