Security News Armada Collective DDoS Extortion Group Now Threatens Ransomware Infections

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A group going by the name of Armada Collective is still sending extortion emails to website owners around the globe, one year after this type of attack became widely known.

The latest victim of these tactics is Etienne Delport from Port Elizabeth, South Africa, owner Alpha Bookkeeping Services.

On September 5, Delport published an email on Twitter, showing a ransom note she received from a group claiming to be Armada Collective.

Group claiming to be Armada Collective still lurking around
The group was threatening her with a 10-300 Gbps DDoS attack on the next day, unless she paid 1 Bitcoin (~$610) to a certain address. The email, embedded in full below at the bottom of this article, also said the ransom would go to 20 Bitcoin (~$12,150) if the DDoS attacks started, and she wanted the group to stop afterward.

These types of extortion attempts became common last year when a group of hackers using the DD4BC name started employing them.

Europol arrested the group this past winter, but other copycats appeared, including one called Armada Collective, who's most famous attack was against ProtonMail, when they forced the secure email provider to pay $6,000 to stop a massive DDoS attack.

The rise of an armada of Armada Collective copycats
After that event, extortion attempts from the group waned, but in the winter of 2016, many companies started reporting similar DDoS-for-Bitcoin extortion attempts.

Security researchers weren't able to pin any of these attempts on the real Armada Collective group, but their number grew exponentially and started to target any website owner, not just larger companies that could afford the ransom.
In April, CloudFlare reported that a group, using a certain list of Bitcoin addresses in its emails, was only threatening to launch DDoS attacks on websites, but they never came through. The group used both the Armada Collective and LizardSquad names in their emails, two hacking crews known for their massive DDoS attacks.

At that point, it was clear that you couldn't distinguish the real Armada Collective ransom emails from the flurry of copycats that spawned following the successful ProtonMail attack from the previous autumn.

Attackers are now threatening to deploy Cerber ransomware
This most recent ransom email that Delport received last week shows the group behind these attacks incorporating a new wrinkle in their tactics.

With all the hype surrounding ransomware infections these days and the ever-growing number of new ransomware families, the group thought it would be a great idea to name-drop the Cerber ransomware in their email.

"All the computers on your network will be attacked for Cerber - Crypto-Ransomware," the extortion email reads.

Reading this, the first impression is that the group is obviously not a native English speaker. The second, they have no idea how Cerber works.

A DDoS attack cannot install ransomware on a network. Web servers are often hosted on Linux machines. Cerber does not support infecting Linux devices. In order to install Cerber on the network, the attackers would need to breach the servers. If an attacker is skilled enough to breach servers and access internal networks, then he'll be probably selling your internal data on the Dark Web instead of bragging about it in an extortion email. The group most likely wanted to issue another threat, to scare victims.


Extortion email received by Etienne Delport
Ransom emails go back for months
In an interview with IBTimes, Delport said she has no plans on paying the ransom. The same report cites a second victim that received this email, Michael O'Connor from Cornwall, UK.

Taking a look at the Bitcoin wallet found in the ransom note, we see that there have been no payments made.

Googling the "1Pnv9xaEdBFGXzhX6EDo2XAgrDxxdg25WU" address we discover a slew of other people sharing their ransom notes, with the same Bitcoin address, going back to the beginning of the year.

To pay or not to pay?
The Bitcoin address is also the same one found in extortion attempts detected by CloudFlare in April, tied to the group that used both the Armada Collective and LizardSquad names.

In its initial report, CloudFlare claimed that this copy-cat group only launched empty threats. CloudFlare even argued that the group didn't have the technical capabilities to launch DDoS attacks. Nevertheless, when Softpedia published an article about the group, we were under a DDoS attack for at least 12 hours.

If website owners receive such emails, they should use the time between its arrival and the DDoS deadline time to invest in DDoS mitigation services. Law enforcement's position on extortion attempts, regardless if it takes place in the real world or cyberspace, is to not pay the ransom.

In Delport's case, the attackers never followed through with their threats. Below is the extortion email in text format, embedded in full.
 
  • Like
Reactions: Nikos751

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top