Receiving an extortion letter instructing to “pay us in bitcoins or your site will suffer a distributed denial-of-service (DDoS) attack” has become almost commonplace in the last two years. They say there’s nothing new under the sun, and this applies to the Internet just as much as anything else.

As soon as businesses realized there was money to be made by having a website and selling things, other people realized that there was money to be made by taking it down or threatening to do so. It’s an old cycle that has happened every time a new method of making money has been discovered. Over the last 24 months, DDoS attacks have become a favorite tool for extortion.

A History of Cyber Extortion

Extortion by DDoS is old hat for those in the online gaming and gambling sectors. In the late 1990s, as the fledgling Internet started gaining traction, one of the biggest concerns for organizations was DDoS attacks. If your site was offline, customers would rather go check out one of your competitors than wait for it to be available again, and some of them never return.

Later, it was the hospitality sector — hotels and other online booking services — that started suffering attacks. While these strikes weren’t uncommon, they also weren’t newsworthy, in part because businesses downplayed their impact and their effects were still relatively minor to businesses in the grand scheme of things.

Over the last couple of years, things have changed — and not for the better. In September 2014, a group calling themselves DD4BC (DDoS for Bitcoin) began sending CFOs and CSOs emails stating, “Pay us or else,” and threatening to bring hundreds of gigabits per second of traffic to bear against the organization. Many companies discounted the emails only to see their sites impacted by the promised traffic, first for a short burst of time and later for an extended length, though mostly in the megabit range rather than the gigabit.

While there’s nothing more than rumors of organizations paying the extortion demands, the fact that DD4BC kept up the attacks until July 2015 suggested there was enough money being made to continue the efforts.

Copycats Attempt Additional Scams

Though DD4BC stopped their attacks for reasons unknown, it doesn’t mean we’ve seen a decrease in the use of DDoS for extortion. In fact, a number of copycats have sent out emails mimicking DD4BC over the past year. One new group calling itself the Armada Collective arrived on the scene in October.

Using similar tactics to DD4BC, the Armada Collective demands approximately $5,000 to $10,000 in bitcoins to an anonymous account or an organization will be hit with more than 1 terabit per second of traffic. A short demonstration of 15 minutes or fewer is then performed. If the extortion isn’t paid, a longer attack commences, with the cost to stop going up. The most recent high-profile target of the Armada Collective has been secure mail services such as ProtonMail.

The Security Intelligence Research Team (SIRT) at Akamai (full disclosure: I work for Akamai) has been tracking this new organization and believes that the Armada Collective is a copycat group distinct from the earlier DD4BC. While the threat letter promises an attack of 1 Tbps, the reality of the group’s capabilities is quite a bit more modest.

The initial attacks by the group were under 1 Gbps, though more recent attacks have been larger, topping out at just over 50 Gbps in the case of ProtonMail. The majority of this traffic is generated by spoofing the IP address of the target and reflecting network protocols, such as DNS and NTP, off vulnerable servers around the Internet, but there is also application layer traffic in the mix.

Read the complete IBM research paper: Extortion by distributed denial of service attack

About the New DDoS Attacks

These attacks aren’t isolated examples or one-time events. Multiple other secure mail services have received the same threats, and blogger Graham Cluley even came under attack after writing about the Armada Collective. For every one of these publicly acknowledged targets, it’s likely there are multiple extortion recipients who won’t disclose that they’ve been threatened. It’s also highly likely that the Armada Collective has moved on from large organizations who can afford the technology to protect themselves to smaller organizations that might not have the expertise or systems to protect themselves — they would rather pay to make the attacks go away.

Companies should develop a plan for cyberattacks that is both proactive and responsive, placing them in a position to effectively defend against DDoS attacks. In my opinion, paying a ransom is a mistake. ProtonMail paid and the attacks continued, though the Armada Collective claims it was a second group that picked up the charge.

Whether this is true or not, paying organizations like DD4BC or the Armada Collective only encourages them to continue their attacks. They may stop attacking your organization in the short term and move on to other targets, but groups like these talk to each other. Once it’s known that your organization will pay, the odds of becoming the target of another attack increase greatly.

Final Thoughts

It is unlikely that the use of DDoS for extortion is going to come to an end anytime soon. The tools needed to attack your site are cheap and easy to use. That attack that you’re being asked to spend $6,000 to stop probably only costs the attacker $40 an hour to launch, meaning every time a business pays, it’s funding 150 hours of attacks on other targets. Paying attackers fuels their capabilities and makes it more likely they’ll continue to attack businesses globally.

There are multiple ways to proactively prevent DDoS attacks, from on-premises equipment to solutions offered by ISPs and cloud-based services that fight the attacks at their data center rather than yours. Reaction to online extortion shouldn’t be any different than if you experienced it in the real world: Contact law enforcement and prepare your defenses.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Trickbot rising — Gang doubles down on infection efforts to amass network footholds

11 min read - IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors…