DDoS Extorters Claim to Be Armada Collective, Fancy Bear

Cybercriminals claiming to represent well-known threat groups such as Fancy Bear and Armada Collective have been threatening organizations with distributed denial of service (DDoS) attacks, Akamai warns.

The attacks started roughly a week ago and are targeting a variety of sectors, including financial and retail, attempting to extort large sums of money from potential victims.

Similar to extortion groups that operated in the past, the attackers would contact victim companies warning them of an imminent DDoS attack on their infrastructure, unless a ransom was paid.

The extortion messages are similar to those observed in previous incidents and in some cases warn the victim that, should the extortion demand be disclosed publicly, the DDoS attack would begin immediately.

“If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time. (sic),” an extortion letter supposedly coming from Armada Collective reads.

“…your websites and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation among your customers. […] We will completely destroy your reputation and make sure your services will remain offline until you pay. (sic),” a message allegedly sent by Fancy Bear states.

The group claiming to be Armada Collective asks victims to pay a 5 BTC ransom, or 10 BTC after the deadline is reached. They also note that the amount will increase by 5 BTC per day, until the ransom is paid.

The attackers that call themselves Fancy Bear ask victims to pay 20 BTC in ransom, or 30 BTC if the deadline is missed. The amount would increase by 10 BTC for each day thereafter.

In some of the letters, the attackers claim to be able to launch DDoS attacks of up to 2 Tbps.

According to Akamai, the extortion attempts are likely the work of copycat groups, and not that of the two well-known adversaries.

“The Akamai SIRT suspects the extortion demands are originating from copycats using the reputation of known attack groups as a means of intimidation in order to expedite payment,” Akamai notes, recommending that organizations refrain from paying any ransom.

Armada Collective, an extortion group that was highly active five years ago, has inspired several copycat groups, some of them observed in late 2015 and throughout 2016.

Also referred to as APT 28, Pawn Storm, Strontium, Sednit, and Tsar Team, Fancy Bear is a cyber-espionage group linked to the Russian government. In fact, the United States says it is a military unit of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Related: Akamai Mitigates Record 809 MPPS DDoS Attack

Related: T-Mobile Outage Mistaken for Massive DDoS Attack on U.S.

Related: NXNSAttack: New DNS Vulnerability Allows Big DDoS Attacks

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *