A group of attackers has threatened to launch distributed denial-of-service (DDoS) attacks against seven South Korean banks unless they pay US $315,000 in ransom.
Between 20 June and 23 June, KB Kookmin Bank, Shinhan Bank, Woori Bank, KEB Hana Bank, NH Bank, and two other lenders received threats warning them they must pay out 360 million won (US $315,000) to attackers or suffer DDoS attacks.
The warning designated 26 June 2017 as the deadline for payment. As of this writing, it’s unclear whether any of those major financial institutions weathered an attack as promised.
The party responsible for issuing the extortion messages was none other than the Armada Collective. This ransom-based DDoS group made headlines back in the fall of 2015 when it launched attacks against ProtonMail and other encrypted email services. Shortly thereafter, the group is presumed to have gone into hiding.
But recent developments might have brought the group back into the open.
Specifically, Hauri security researcher Choi Sang-Myung suspects South Korean web hosting firm NAYANA’s payment of one million dollars in ransom to the handlers of Erebus ransomware helped draw the Armada Collective out of the wood work.
Choi feels the country is prepared to handle actors like Armada Collective after weathering hacking campaigns directed by its northern neighbor. But that’s no reason for South Korea to let its guard down.
Chung Ki-young, head of the IT team at South Korea’s Financial Supervisory Service (FSS), voiced that same sentiment to Financial Times:
“The Financial Supervisory Service went into an emergency mode after seven banks received threatening emails from the Armada Collective. We are preparing for various ways to prevent a DDoS attack, including blocking unnecessary IP addresses, traffic dispersion and the implementation of a clean zone.”
Notwithstanding the Armada Collective’s designation of 28 June as “D-Day,” it’s a good idea for the FSS to help the targeted banks prepare their defenses and urge them to not pay the ransom. Several factors go into this calculus. First, even if they pay the ransom, there’s no guarantee the attack group will stay true to their word and cancel the attack. It could launch an attack with the intent of collecting a second ransom payment to stop the DDoS attack traffic. The Armada Collective could then repeat this tactic however many times it wants.
Second, the offending DDoS group has a history of issuing empty threats. Cloudflare said as much back in 2016:
“To date, we’ve not seen a single attack launched against a threatened organisation. This is in spite of nearly all of the threatened organisations we’re aware of not paying the extortion fee.”
With that in mind, the South Korean firms and other organizations everywhere should use this opportunity to evaluate their anti-DDoS measures and make sure they’re protected against actors like the Armada Collective. They should also never pay a ransom to attackers. Doing so only legitimizes the business model employed by these nefarious individuals.