Application security, Threat Management

Potential DD4BC copycat, The Armada Collective target email providers


A new cyber-outfit has arrived on the scene. Calling itself The Armada Collective, this new addition to the cyber-rogues gallery has been going around demanding piles of money from online businesses, in exchange for a cessation of their constant DDoS attacks.

This new outfit has also established for itself a rather slippery, if efficient, reputation, in it's few days of existence. In that short lifespan the collective has attacked four Thai banks; Protonmail, a Cern-backed email service; Hushmail, another email service; Zoho, an enterprise software provider and a host of other companies that have had the misfortune of being assaulted by these new upstarts.

Their partiality for certain kinds of organisations over others is a point for examination. Bill Brenner of Akamai, a leading CDN company, wrote in a blog post that “targets of ransom demands are selected based on their anticipated reluctance to involve law enforcement, leaving them to either pay the ransom or pay for DDoS protection”. spoke to Werner Thalmeier, director of security solutions for Radware in the EMEA and CALA regions. He thinks that the reason email providers have been so disproportionately targeted is that “Currently they are an easy target. As we learned with Proton they are not prepared to become victims of DDoS attacks.” 

Thalmeier added that “Armada is looking for the easy target to save resources, as this is a pure business for them.”

The Armada Collective's methods aren't particularly new. They contact the targeted organisation, saying that their servers will be DDoSed unless they pay the mysterious assailant a pile of cash in the cryptocurrency bitcoin, one being currently valued at nearly £250.

A DDoS attack is the bread and butter of cyber-criminals/cyber-terrorists/hacktivists. It's a kind of cyber-attack where the assailants clog the targeted website up with so much traffic that the site stops functioning. Obviously, this most powerfully effects organisations that do their business online, who are most susceptible to downtime, lose more money to that downtime  and thus be more willing to pay up to the ransomers.  

These unoriginal tactics are startlingly similar to the more famous and more prolific DD4BC group. Thalmeier told SC that “Armada Collective could come out of DD4BC or acting as copycat and using their methods”.

Akamai initially thought that The Collective was “DD4BC resuming attacks under a new name,” before adding, “At this stage of the investigation, we're more inclined to believe Armada Collective is a copycat group.”

This is not particularly new either. Just a few weeks ago, a potential Ashley Madison extortion campaign, claiming to be run by DD4BC, was dismissed by experts as merely trying to capitalise on the infamous brand.

The Swiss government's cyber emergency response team (Swiss CERT) published a ransom demand sent to several of the group's victims. Loftily, they write, “We are Armada Collective. All your servers will be DDoS-ed starting Friday if you don't pay 20 Bitcoins. When we say all, we mean all -- users will not be able to access sites host with you at all.”  Again, much like DD4BC, they say that these DDoS attacks will increase if payment is not made by a certain date. They conclude: “This is not a joke.”

However, unlike DD4BC, the collective claim that their DDoS attacks can be as powerful as one terabyte per second, double that which DD4BC claim as their UDP flood power. This may well be nonsense; Akamai notes that the highest flood power they've seen from Armada Collective peaked at 772 Mbps.

CERT notes that victims should not pay and treat them in the same way CERT told victims to handle DD4BC attacks: report them to the police and your internet service provider and don't pay.

While most of their victims have not paid. The CERN-backed email provider, Protonmail was beset with two attacks from different groups. 

Protonmail was keen to impress upon SC that the first attack was not carried out by Armada, but a group who they are currently trying to identify. They paid that group $6000 in Bitcoin, admitting in a recent blogpost: “This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.” 

The company added that, “At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do.” 

Thalmeier told SC that not paying the ransomers should be a cardinal rule in these situations: “We need to take off the fuel from this ‘industry' which is money… As long as companies are paying ransom money it will continue. Companies should invest into protection and not into paying the attackers. As we learned, as soon as Armada find out that the company has reasonable DDoS protection in place they will not go after it, simply because it is too expensive for them.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.