Attacks/Breaches

12/7/2015
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Extortion, DDoS-For-Bitcoin Campaigns Rise

Now that the model is proven, more cyber-extortionists are entering the scene, stealing their predecessors' ideas and even their names.

Whether it be via DDoS, doxing threats, or ransomware, attackers extorting victims for cash via electronic means is growing, and Bitcoin may be partly to blame for the increase, according to researchers at Recorded Future

"Bitcoin attracted more miscreants to the space," says Tyler Bradshaw, solutions engineer for Recorded Future. Because it's a relatively new, the unregulated currency allows extortionists to accept payments anonymously.

While ransomware operators are generally indiscriminate about targets, go after individuals, and request small ransoms of 1 to 2 BTC (currently approximately $349 to $698), DDoS extortionists take the opposite approach.

Last year, the threat group DD4BC (short for "DDoS for Bitcoin") first emerged. DD4BC's modus operandi was to threaten a company with a major distributed denial of service -- on the magnitude of 400-500 Gbps -- prove it could compromise the network by carrying out a low-level warning attack of roughly 10-20 Gbps, and demand a payment to prevent a large-scale DDoS. According to Recorded Future, DD4BC has attacked over 140 companies in this way.

According to a report by researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) released in September, the group first targeted online gaming and online currency exchanges -- which would be reluctant to request help from law enforcement. They then shifted attention to financial services companies, tweaking the attack to include a threat of publicly embarrasing the company by revealing, via social media, the company had been DDoSed. 

DD4BC's ransom demands ranged from 10 BTC to as much as 200 BTC (currently $3,940 to $78,788), often starting low and increasing the price the longer the victim failed to pay up.

DD4BC did not actually seem to be capable of carrying out the 400-500 Gbps-scale attack they threatened. The worst Akamai detected was 56 Gbps. Yet, the threats and warning attacks were enough to convince targets to pay the ransom.

As Akamai PLXsert wrote in its September report:

PLXsert believes copycats will enter the game, increasing these types of attacks. In fact,
copycats may already be sending their own ransom letters, piggybacking on the reputation
of dd4bc.

That's precisely what has happened, according to Recorded Future.

In the wake of Akamai's report, DD4BC's own activity sharply decreased, but a new group called Armada Collective showed up on the scene, using the same model DD4BC had used.

One of Armada Collective's victims was ProtonMail, an encrypted email service provider. Yet even after ProtonMail paid the extortion fee, the attacks increased and became more sophisticated. According to the Recorded Future report:

ProtonMail claimed this second attack was a “coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes.” In fact, ProtonMail has stated that the second attack appears to be nation-state sponsored.

The Armada Collective vehemently denied involvement in this second attack, despite their own warnings of a larger attack. They even refunded bitcoins to ProtonMail in order to send messages such as:

“Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!” and “WE DO NOT HAVE THAT POWER! NOT EVEN CLOSE.”

Then last week, news broke that three Greek banks were hit with DDoS attacks, claiming to be committed by the Armada Collective. However, the extortion amount requested was a whopping 20,000 BTC, or $7.85 million at current value, from each bank.

"That's why it was a red flag for me," says Bradshaw, "that this might not be the Armada Collective," either. The size of the ransom was too high for the original Armada Collective, which also tended to go for targets that were unlikely to involve law enforcement.

A bank official told the Financial Times last month, "No bank responded to this extortion, so the same hackers tried again at the weekend and today. But we had strengthened our defence in the meantime, so no disruptions took place."

Why would an attack group hijack another's handle? "They may be using the name because it's easier to ride those coattails without doing any work first," says Bradshaw, explaining that threats from an established threat actor may be taken more seriously by targets. Plus, it gives law enforcement a false trail to follow. "If something goes down, the eyes are not pointed at them," he says.

Although cyber-extortion is increasing, the success of each attack campaign depends upon combining the right technological capabilities with the right price point. Last week, not only did the Greek banks not pay Armada Collective the $7.85 million request, but three banks in the United Arab Emirates refused to pay an attacker called Hacker Buba a $3 million payout. In response, Hacker Buba publicly dumped personal information, full credit card data, and transaction histories on tens of thousands of the banks' customers.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ilgioa
50%
50%
ilgioa,
User Rank: Apprentice
12/11/2015 | 8:25:04 AM
"Threatened", not "hit"
Greek banks have been "threatened with", not "hit by" DDoS attacks.

"Hit" suggests that attacks have been launched and all of them have been successful.
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...