Armada Collective Copycats Threaten Vulnerable Computer Users with Ransomware Attacks

A new DDoS extortion group is trying to cash up the notorious success of "Armada Collective" last year. It sent a threatening e-mail to a website owner from South Africa last month. Etienne Delport from Port Elizabeth published the ransom note he received on Twitter, and even though PC security experts quickly recognized that the e-mail was just an empty threat, the event confirms that DDoS extortion groups still exist and operate.

The criminals threatened Delport's company with a DDoS attack reaching the size of 300 Gbps and taking place the next day unless he paid 1 Bitcoin ($610) to a certain address. Following the well-known tactics of Armada Collective, the group also threatened the ransom would rise to 12 Bitcoin ($12,1500) if the attacks were already launched and were to be stopped. A new addition was the claim of the group they would drop Cerber Ransomware on all computers from the company's network.

Delport decisively refused to pay the ransom in a public interview, and the hackers never lived up to their threats. Researchers also confirmed the group is not related to Armada Collective and does not have the technical knowledge either to conduct a DDoS attack or to deploy a ransomware threat on the victim's computers. Analyzing the Bitcoin wallet found in the ransom note shows that no payments have ever been made to it, while the Bitcoin address is the same as the one tied to some unsuccessful extortion attempts from April this year.

That particular case ended up with no consequences. However, this does not mean that these newly emerged DDoS extortion groups are harmless. Usually, it is hard, even for PC security experts, to distinguish empty threats from real ones, and some other cases did not go so well. Among the most prominent DDoS attacks conducted by Armada Collective was against the secure e-mail provider ProtonMail located in Switzerland. The company ignored the threatening e-mail at first, and the hackers launched a massive DDoS attack that grew up progressively in size and complexity to reach 100Gbps.

After the first several hours, the company paid the required ransom in the amount of $6,000, yet the attacks did not stop. Armada Collective denied any responsibility for the attacks that followed the payment of the ransom, yet the result was that Proton servers were down for days, imposing huge losses on the company. Researchers believe that Armada Collective is the alternative name of DD4BC - the first group of this kind spotted in September 2014 - and obviously, the name still scares potential victims to the extent that imitating groups have made over $100,000 in a year just from sending empty threats.

DDoS attacks are one of the most common ways to make an online service unavailable by over-flooding it with unmanageable traffic from multiple sources. DD4BC launched its initial campaign in late 2014, targeting mostly websites from the financial services sector. These type of attacks begin by sending an e-mail to potential victims in which the group introduces itself, and then threatens to launch DDoS attacks against the victims' servers if they refused to make a Bitcoin payment to the criminal's wallet. The ransom amounts have ranged between $6,000 and $24,000, while the average attack has been relatively small in size (around 13 Gbps). Between September 2014 and September 2015, DD4BC have conducted over 141 attacks, until suspected members of the group were arrested in January this year. The success of their blackmail campaigns attracted many followers, and the multiple copycat groups turned the DDoS extortion scheme into a regular practice. Online companies are advised to take precautionary measures to mitigate potential DDoS attacks.