DDOS "ransom note"

jonathanstray · 2016-06-21 20:55:47 UTC

Yesterday I received the following email to the info@ address for Overview. It's new to me, and I thought others might be interested in seeing it. It's certainly a type of threat I hadn't previously considered.

While I am betting it's a bluff, I have taken steps to mitigate a possible DDOS attack (I think that was covered in another thread.)

From: Armada Collective armada.collective@gmail.com
Date: Mon, Jun 20, 2016 at 7:13 PM
Subject: ATTENTION: Ransom request!!!

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.

All your servers will be DDoS-ed starting Wednesday (Jun 22 2016) if you don't pay 5 Bitcoins @ 1NmtqLKvwzWLS71WetbggF7Sp2tcLcSSwh

When we say all, we mean all - users will not be able to access sites host with you at all.

If you don't pay by Wednesday, attack will start, price to stop will increase by 5 BTC for every day of attack.

If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.

This is not a joke.

Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.

Prevent it all with just 5 BTC @ 1NmtqLKvwzWLS71WetbggF7Sp2tcLcSSwh

Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.

mshelton · 2016-06-21 22:08:44 UTC

It sounds like this ransom note has been making rounds to a lot of different sites for at least 7 months - often copy / pasted word for word. Tough to tell how often this is a bluff, especially since anyone can send this kind of scripted email. But interesting!

jon · 2016-06-22 13:24:28 UTC

Cloudflare also posted on this a while ago: https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/

" We heard from more than 100 existing and prospective CloudFlare customers who had received the Armada Collective's emailed threats. We've also compared notes with other DDoS mitigation vendors with customers that had received similar threats.
Our conclusion was a bit of a surprise: we've been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack. In fact, because the extortion emails reuse Bitcoin addresses, there's no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments."

port · 2016-06-22 16:18:36 UTC

I know someone who got the same note a couple of days ago, though the bitcoin address was different and the attack is supposed to start 6/23. Otherwise it's word-for-word. Did anything happen today?

jonathanstray · 2016-06-22 18:02:27 UTC

Everything seems fine so far.

munin · 2016-06-22 18:47:47 UTC

Consensus from what I've seen is that the so-called 'Armada Collective' DDOS ransoms are, bluntly, just a scam.

I mean, moreso than the usual.

I've not seen anyone affected by actual traffic interruption from any of them; and to be honest, I always recommend AGAINST paying -any- kind of ransom.

Though apparently enough folks are credulous enough to pay 'em, so we keep seeing those payments underwriting further threats and other related shenanigans.

port · 2016-06-22 23:48:28 UTC

Agreed. So sad that people would even consider paying a ransom. I'm a bit new to this, but at first glance it appears the cost of mitigation - should any of these turn out to be anything other than a bluff - is likely much less than the ransom demand.

port · 2016-06-24 15:25:45 UTC

Update - so far it was a hoax as expected. I did notice someone paid a "ransom" of about $0.03 to the bitcoin address (that was used in multiple emails), so someone is having fun with them.