Hackers are learning from mafia. They extort a “protection” fee under a threat of DDoS attacks

A picture of a mafioso sitting behind a table, using his phone to extort someone.

“What a lovely thing, that company network of yours, with all its servers and websites. It would be a shame if anything were to happen to it…”

Acting like old-school mafia, a group of hackers calling itself the Armada Collective started to extort money from companies.

They rattle their sabres and threaten companies with a massive DDoS attack, unless the firms in question pay a hefty sum in bitcoin.

Situations like these happen quite frequently. However, this particular case is unique – in the end, the Armada Collective doesn’t attack at all. All those threats turn out to be empty.

Even so, the “hackers” racked up a lot hundreds of thousands of dollars from many companies.

The research done by an internet security company CloudFlare found that criminals claiming to be the Armada Collective have an established procedure in place.

First, they send a threatening message to a general email address of their company prey. They require the email to be sent to people in charge. The attackers identify themselves as the Armada Collective, an infamous hacker group. And then demand the company pays up in bitcoin, or a DDoS attack is going to strike their network. The amount demanded varied from ten to fifty bitcoins (so between around 4 500 and 22 700 dollars, or 3 000 and 15 700 pounds).

Sending their extortion email to a general company address is coincidentally a smart move, on a psychology level. The mailbox is probably controlled by someone with minimal IT knowledge – i.e. someone, who might be easily very impressed about this threat. This person will then spread the panic upwards, to management – that is frankly also quite often lacking in the required knowledge and perspective. The company in question then might consider paying up to be the easiest and most desirable solution. If the first email was addressed to a system administrator’s inbox, it would probably end up being chucked into the bin with little ceremony.

Many companies thankfully managed to do just that. They did not pay the Armada Collective. As for the revenge… Nothing happened.

Because the attackers were no geniuses.

You could see it from their threatening message. It says: “Our attacks are extremely powerful – sometimes over 1 Tbps per second. And we pass Cloudflare and others remote protections! So, no cheap protection will help.” Notice the redundant “per second” after the Tbps acronym – the very one that of course means “terabit per second”, so no further time specification is needed. It suggests that the attackers might not actually be skilled at hacking.

This is further supported by something the researchers have noticed when they trawled through many instances of these attacks. The perpetrators sent the same bitcoin address to many different companies. However, bitcoin’s characteristics dictate that they would then have no way to tell which companies paid up.

That might be the reason criminals treated everyone the same and attacked no one.

Or maybe they were simply no real hackers.

We’ll take this famous name and get paid

According to results published by researchers, it seems probable that the name of the infamous Armada Collective has been used by different hacker group. The real Armada Collective used to fulfil their threats.

After last November, they were nowhere to be found – many experts presume that the real hackers had already went into hiding, because Interpol was hot on their heels. In January in operation Pleiades its detectives cuffed two members of the hacking group DD4BC. It is reasonable to presume that the Armada Collective was just another one of their group’s pseudonym.

It seems the unused name with big reputation probably inspired someone to try and get rich quickly. It’s not yet clear who is behind these threats, but they’re probably not able to pull off any attack.

Still, this technique yielded them hundreds of thousands of dollars or around seventy thousand pounds in bitcoin. All this essentially for sending out a threatening mailing campaign. Just because many companies and their bosses lacked the IT knowledge and courage necessary and paid the attackers.

And according to the latest news, the attackers are still active. They have just borrowed yet another pseudonym. The British cyber-crime police warned that thethreatening emails were now “also” sent by a hacker group known as Lizard Squad.Even though most of its members have been caught not too long ago. It’s very probably that those are the same “masterminds” behind the Armada Collective scam.

How not to be fooled? Don’t negotiate with any attackers

These companies could have avoided their financial losses. All they had to do was to adopt one principle that is already adopted worldwide by many responsible system administrators.

You don’t negotiate with attackers.

Some people might be inclined to think that a payment of about twenty thousand dollars is a small price to pay for uninterrupted run of a big online retail site that pulls in five times as much every day.

The most common types of DDoS attacks in the first quarter of 2016

If you were ever threated by real attackers, they would probably use these methods. According to a Kaspersky report, the most common types of DDoS attacks in the first quarter of 2016 were SYN záplavy (read more about them in one of our previous articles), the second most used were attacks through TCP and third through HTTP. In contrast with the last quarter, there has been a growth in use of ICMP floods, that use ping requests en masse to flood the servers and their infrastructure.

However, it’s important to realize one thing – when you concede to paying once, what prevents the attackers from trying it again? Maybe not tomorrow or in a week. But give it a month and a similar message might find itself in your mailbox. And what if the word gets around that your company pays hackers who threaten you? You will be plagued by hackers from Alaska to Zimbabwe. And more importantly – every further payment helps attackers to build their infrastructure.

Instead, invest in one of your own. Give your IT experts enough resources and if you are a system administrator yourself, go and ask for them. It’s much better to invest into your security and be able to defend against DDoS attacks than to invest into the ones harassing you and staying vulnerable.

And if you lack the necessary employees or knowledge, don’t be embarrassed to admit this. Most people have different areas of expertise and we just can’t be experts on everything. Don’t brush off security as a non-concern just because you might not understand it fully – instead ask for advice from expert administrators who are experienced in dealing with a DDoS attack. Don’t hesitate to ask MasterDC’s own battle-hardened administrators for help. They are so well-versed in this field they even hold lectures on anti-DDoS security.

The right place for your data

OUR DATA CENTERS ARE LOCATED IN PRAGUE AND BRNO