More websites hit by Armada Collective DDoS blackmail attacks, but won’t pay up

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Ddos extortionAn online criminal gang calling itself the “Armada Collective” has been demanding that online businesses pay thousands of dollars in Bitcoins, or face having their websites brought to their knees by crippling internet attacks.

And, as the DDoS experts at Akamai point out, it is online companies who have the most to lose from downtime who are at the greatest risk.

Here is a typical ransom demand, as shared by the Swiss Government’s CERT, that was emailed to victims by the Armada Collective as it threatened distributed denial-of-service (DDoS) attacks:

From: “Armada Collective” [email protected]
To: abuse@victimdomain; support@victimdomain; info@victimdomain
Subject: Ransom request: DDOS ATTACK!

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.

All your servers will be DDoS-ed starting Friday if you don’t pay 20 Bitcoins @ XXX

When we say all, we mean all – users will not be able to access sites host with you at all.

Right now we will start 15 minutes attack on your site’s IP (victims IP address). It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It’s just to prove that this is not a hoax. Check your logs!

If you don’t pay by Friday , attack will start, price to stop will increase to 40 BTC and will go up 20 BTC for every day of attack.

If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.

This is not a joke.

Our attacks are extremely powerful – sometimes over 1 Tbps per second. So, no cheap protection will help.

Prevent it all with just 20 BTC @ XXX

Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.

For the uninitiated, a DDoS attack is where criminals bombard a website with so much traffic that it effectively clogs up, stopping legitimate visitors from accessing it.

Protonmail down

As previously reported, Switzerland-based secure email firm ProtonMail was hit by a DDoS attack on November 3rd that was sustained for some days, eventually leading to the company paying a ransom worth $6000.

The firm later acknowledged that this was a poor decision, as it continued to be hit by DDoS attacks for some days and vowed to never pay blackmailers again.

But ProtonMail wasn’t the first of the Armada Collective’s victims. The hacking group had previously, for instance, struck at the webhosts of other Swiss online firms and financial institutions, as well as four Thai banks.

In each case, demands were made for money to be paid.

Sign up to our free newsletter.
Security news, advice, and tips.

Other victims of attacks have included a number of online email services, including:

  • Hushmail, which has said it will not pay.
  • Neomailbox has said it will not pay.
  • VFEmail has said it will not pay.
  • Runbox has said it will not pay.

Zoho, which has also been attacked, summed up the position of many firms, saying that it will not give in to the attackers:

“Please stand by us as we fight this attack. We cannot give in to criminals and embolden them to perpetuate other attacks.”

Ddos extortionOf course, we don’t know who the Armada Collective is (although it’s fairly certain that law enforcement agencies around the world might be investigating).

We don’t even know if it’s one group or several – it’s perfectly possible that opportunists might be using the current wave of DDoS attacks to pretend to be responsible for the attacks in an attempt to make some quick cash.

Furthermore, it remains a possibility that some other firms may have been threatened with a DDoS attack and chosen to pay up, and that their negotiations with the criminals have not made it into the public eye.

There is certainly much more to be untangled about this story, including the nuggets shared by Forbes which seem to indicate that the attackers have sent small amounts of stolen cash *back* to ProtonMail.

DDoS attacks aren’t at all pleasant – although a DDoS by itself doesn’t result in systems being breached or databases being plundered, they are still bad news for the companies and web hosts that really need to stay online to do business.

I understand that feeling only too well. This weekend, my own web host battled a major denial-of-service attack that forced my site offline for a period of time, alongside other users.

And, of course, DDoS attacks are also a pain for customers who rely upon services remaining available to access their email, their online accounts or – if they were readers of my site – my ramblings about computer security.

For what it’s worth, I have no reason to believe that my web host was attacked by the Armada Collective. However, it does appear that the attack on my web host was significant, so…

Take care folks, and if your company runs a website which users rely upon to be available – and you have the resources available to you – investigate what you can do to mitigate a DDoS attack *before* you’re the next target on the criminals’ list.

Ultimately it might be the price you have to pay to stay in business – and my guess is that in the long run it will be cheaper than shelling out to online criminals.

And if you’re a regular computer user – defend your PC with up-to-date security software and patches to reduce the chances of it being hijacked into a botnet for the purposes of bombarding innocent sites with a DDoS attack.

In case I need to repeat it, don’t ever pay blackmailers. You’re just making the internet a less safe place for the rest of us if you do.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “More websites hit by Armada Collective DDoS blackmail attacks, but won’t pay up”

  1. coyote

    It's true that it doesn't equate to compromised hosts. But it is also true that it can be used in some kinds of attacks that do lead to a compromised host (or attempt to).

    As for DDoS attacks, and to those who don't know, it is distributed denial of service, which means it is many hosts bombarding the target, rather than a single attacking host launching the attack. Depending on what kind of attack, it can cause a service to crash or a server to reboot, but in those cases it could just as well be a regular DoS attack. But they also fill the connection tables (for a somewhat simplified example) that prevents the victim host from communicating with legit hosts.

    As for this website, it is interesting but it seems that ever since you've changed hosts, there is more latency (haven't investigated it though). Sometimes there are timeouts and I have to try again.

  2. Jeffrey Goldberg

    If I may take this opportunity to remind people that even if you think "you have nothing of value" on a machine connected to the public network, your network connection is of value to criminals engaging in a DDoS. If you don't keep your computer up to date and secure, it will be used by criminals.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.