South Korean banks told to pay $315,000 or suffer DDoS wrath

A familiar face responsible for issuing the (historically empty) threat…

David bisson
David Bisson

South Korean banks told to pay $315,000 or suffer DDoS wrath

A group of attackers has threatened to launch distributed denial-of-service (DDoS) attacks against seven South Korean banks unless they pay US $315,000 in ransom.

Between 20 June and 23 June, KB Kookmin Bank, Shinhan Bank, Woori Bank, KEB Hana Bank, NH Bank, and two other lenders received threats warning them they must pay out 360 million won (US $315,000) to attackers or suffer DDoS attacks.

The warning designated 26 June 2017 as the deadline for payment. As of this writing, it’s unclear whether any of those major financial institutions weathered an attack as promised.

Sign up to our free newsletter.
Security news, advice, and tips.

The party responsible for issuing the extortion messages was none other than the Armada Collective. This ransom-based DDoS group made headlines back in the fall of 2015 when it launched attacks against ProtonMail and other encrypted email services. Shortly thereafter, the group is presumed to have gone into hiding.

But recent developments might have brought the group back into the open.

Specifically, Hauri security researcher Choi Sang-Myung suspects South Korean web hosting firm NAYANA’s payment of one million dollars in ransom to the handlers of Erebus ransomware helped draw the Armada Collective out of the wood work.

Choi feels the country is prepared to handle actors like Armada Collective after weathering hacking campaigns directed by its northern neighbor. But that’s no reason for South Korea to let its guard down.

Chung Ki-young, head of the IT team at South Korea’s Financial Supervisory Service (FSS), voiced that same sentiment to Financial Times:

“The Financial Supervisory Service went into an emergency mode after seven banks received threatening emails from the Armada Collective. We are preparing for various ways to prevent a DDoS attack, including blocking unnecessary IP addresses, traffic dispersion and the implementation of a clean zone.”

3 13 financial supervisory 1
South Korea’s Financial Supervisory Service. (Source: Koogle TV)

Notwithstanding the Armada Collective’s designation of 28 June as “D-Day,” it’s a good idea for the FSS to help the targeted banks prepare their defenses and urge them to not pay the ransom. Several factors go into this calculus. First, even if they pay the ransom, there’s no guarantee the attack group will stay true to their word and cancel the attack. It could launch an attack with the intent of collecting a second ransom payment to stop the DDoS attack traffic. The Armada Collective could then repeat this tactic however many times it wants.

Second, the offending DDoS group has a history of issuing empty threats. Cloudflare said as much back in 2016:

“To date, we’ve not seen a single attack launched against a threatened organisation. This is in spite of nearly all of the threatened organisations we’re aware of not paying the extortion fee.”

With that in mind, the South Korean firms and other organizations everywhere should use this opportunity to evaluate their anti-DDoS measures and make sure they’re protected against actors like the Armada Collective. They should also never pay a ransom to attackers. Doing so only legitimizes the business model employed by these nefarious individuals.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.