Scary Wizard Behind the Curtain

Beginning in March 2016, we began hearing reports of a gang of cybercriminals once again calling themselves the Armada Collective. The calling card of the gang was an extortion email sent to a wide variety of online businesses threatening to launch DDoS attacks if they weren’t paid in Bitcoin.

From The Wizard of Oz (1939)

We heard from more than 100 existing and prospective CloudFlare customers who had received the Armada Collective’s emailed threats. We’ve also compared notes with other DDoS mitigation vendors with customers that had received similar threats.

Our conclusion was a bit of a surprise: we’ve been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack. In fact, because the extortion emails reuse Bitcoin addresses, there’s no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments.

The Threat

The extortion emails sent by the Armada Collective have been remarkably consistent over the last two months. Here’s an example:

To: [Victim Org’s Role Account]
From: [email protected]
Subject: DDOS ATTACK!!

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT
IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.
http://lmgtfy.com/?q=Armada+Collective

Your network will be DDoS-ed starting [date]
if you don’t pay protection fee – 10 Bitcoins
@ [Bitcoin Address].

If you don’t pay by [date], attack will start,
yours service going down permanently price to
stop will increase to 20 BTC and will go up
10 BTC for every day of attack.

This is not a joke.

Our attacks are extremely powerful – sometimes
over 1 Tbps per second. And we pass CloudFlare
and others remote protections! So, no cheap
protection will help.

Prevent it all with just 10 BTC @
[Bitcoin Address]

Do not reply, we will not read. Pay and we
will know its you. AND YOU WILL NEVER AGAIN
HEAR FROM US!

Bitcoin is anonymous, nobody will ever know
you cooperated.

We’ve seen examples of the “protection fee” requested that range from 10 – 50 Bitcoin (approximately USD$4,600 – USD$23,000 based on BTC to USD exchange rates as of 25 April 2016). There does not appear to be any correlation of the amount requested and the size or financial resources of the threatened victim.

While the message states that the attackers will know who has paid, we’ve seen several examples of multiple victims being targeted during the same time period and asked to send the same amount to the same Bitcoin address. Since Bitcoin is, as the message correctly notes, anonymous, this means that there is no way for the attacker to tell who has paid the extortion fee and who has not.

No Attack, Still Lucrative

Given that the attackers can’t tell who has paid the extortion fee and who has not, it is perhaps not surprising to learn that they appear to treat all victims the same: attacking none of them. To date, we’ve not seen a single attack launched against a threatened organization. This is in spite of nearly all of the threatened organizations we’re aware of not paying the extortion fee. We’ve compared notes with fellow DDoS mitigation vendors and none of them have seen any attacks launched since March against organizations that have received Armada Collective threats.

Unfortunately, in spite of the lack of actual DDoS follow through, it appears that many victims are paying the extortion fee. A security analyst from the Bitcoin analysis firm Chainalysis studied payments sent to the Armada Collective’s Bitcoin addresses and concluded that more than USD$100,000 has been sent to the attackers by victims.

Armada Collective Redux

This is not the first group to call themselves the Armada Collective. Unlike the current incarnation, the original Armada Collective did carry through on their DDoS threats. That group went silent in November 2015. It’s suspected that “Armada Collective” was originally one of the names used by the DD4BC DDoS extortion group. Alleged members of DD4BC were arrested in January 2016 as part of Europol’s Operation Pleiades.

The original Armada Collective/DD4BC attackers claimed the ability to generate 500Gbps DDoS attacks. In reality, we and other DDoS mitigation vendors never saw attacks larger than 60Gbps. Regardless, CloudFlare successfully mitigated all of the original group’s attacks targeting our customers, perhaps prompting the Copycat Armada Collective to double the size of their claimed attack capacity to 1Tbps and call CloudFlare out by name in their new threats. (Incidentally, we have plenty of capacity to stop even an attack that large if it ever turns out to be anything more than hypothetical.)

When I was first briefed by our team about this latest incarnation of the Armada Collective, I keep thinking of that scene in the movie the Princess Bride where the mild-mannered Wesley explains to Princess Buttercup how he became the “Dread Pirate Roberts”: “The name was the important thing for inspiring the necessary fear. You see, no one would surrender to the Dread Pirate Wesley.”

And so, it seems, the same is true with cybercriminals. While the actual members of the original Armada Collective appear locked up in a European jail, with little more than some Bitcoin addresses and an email account some enterprising individuals are drafting off the group’s original name, sowing fear, and collecting hundreds of thousands of extorted dollars.

Busting the Myth

Let Me Google That For You: Armada Collective

The extortion emails encourage targeted victims to Google for the Armada Collective. I’m hopeful this article will start appearing near the top of search results and help organizations act more rationally when they receive such a threat.

It’s important to note that not all DDoS extortion threats are empty. There are several groups currently sending out extortion emails that actually do follow through on their threats. I won’t name them here so as not to encourage copycats. However, if you ever receive a threat and want to know more about the group, don’t hesitate to reach out. We’re always happy to share our view from the perspective of the more than 4 million customers we help protect from real cyber attacks every day.

The Wizard RevealedFrom The Wizard of Oz (1939)

Read more here:: CloudFlare

Empty DDoS Threats: Meet the Armada Collective