Whether it be via DDoS, doxing threats, or ransomware, attackers extorting victims for cash via electronic means is growing, and Bitcoin may be partly to blame for the increase, according to researchers at Recorded Future.
"Bitcoin attracted more miscreants to the space," says Tyler Bradshaw, solutions engineer for Recorded Future. Because it's a relatively new, the unregulated currency allows extortionists to accept payments anonymously.
While ransomware operators are generally indiscriminate about targets, go after individuals, and request small ransoms of 1 to 2 BTC (currently approximately $349 to $698), DDoS extortionists take the opposite approach.
Last year, the threat group DD4BC (short for "DDoS for Bitcoin") first emerged. DD4BC's modus operandi was to threaten a company with a major distributed denial of service -- on the magnitude of 400-500 Gbps -- prove it could compromise the network by carrying out a low-level warning attack of roughly 10-20 Gbps, and demand a payment to prevent a large-scale DDoS. According to Recorded Future, DD4BC has attacked over 140 companies in this way.
According to a report by researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) released in September, the group first targeted online gaming and online currency exchanges -- which would be reluctant to request help from law enforcement. They then shifted attention to financial services companies, tweaking the attack to include a threat of publicly embarrasing the company by revealing, via social media, the company had been DDoSed.
DD4BC's ransom demands ranged from 10 BTC to as much as 200 BTC (currently $3,940 to $78,788), often starting low and increasing the price the longer the victim failed to pay up.
DD4BC did not actually seem to be capable of carrying out the 400-500 Gbps-scale attack they threatened. The worst Akamai detected was 56 Gbps. Yet, the threats and warning attacks were enough to convince targets to pay the ransom.
As Akamai PLXsert wrote in its September report:
PLXsert believes copycats will enter the game, increasing these types of attacks. In fact,
copycats may already be sending their own ransom letters, piggybacking on the reputation
That's precisely what has happened, according to Recorded Future.
In the wake of Akamai's report, DD4BC's own activity sharply decreased, but a new group called Armada Collective showed up on the scene, using the same model DD4BC had used.
One of Armada Collective's victims was ProtonMail, an encrypted email service provider. Yet even after ProtonMail paid the extortion fee, the attacks increased and became more sophisticated. According to the Recorded Future report:
ProtonMail claimed this second attack was a “coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes.” In fact, ProtonMail has stated that the second attack appears to be nation-state sponsored.
The Armada Collective vehemently denied involvement in this second attack, despite their own warnings of a larger attack. They even refunded bitcoins to ProtonMail in order to send messages such as:
“Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!” and “WE DO NOT HAVE THAT POWER! NOT EVEN CLOSE.”
Then last week, news broke that three Greek banks were hit with DDoS attacks, claiming to be committed by the Armada Collective. However, the extortion amount requested was a whopping 20,000 BTC, or $7.85 million at current value, from each bank.
"That's why it was a red flag for me," says Bradshaw, "that this might not be the Armada Collective," either. The size of the ransom was too high for the original Armada Collective, which also tended to go for targets that were unlikely to involve law enforcement.
A bank official told the Financial Times last month, "No bank responded to this extortion, so the same hackers tried again at the weekend and today. But we had strengthened our defence in the meantime, so no disruptions took place."
Why would an attack group hijack another's handle? "They may be using the name because it's easier to ride those coattails without doing any work first," says Bradshaw, explaining that threats from an established threat actor may be taken more seriously by targets. Plus, it gives law enforcement a false trail to follow. "If something goes down, the eyes are not pointed at them," he says.
Although cyber-extortion is increasing, the success of each attack campaign depends upon combining the right technological capabilities with the right price point. Last week, not only did the Greek banks not pay Armada Collective the $7.85 million request, but three banks in the United Arab Emirates refused to pay an attacker called Hacker Buba a $3 million payout. In response, Hacker Buba publicly dumped personal information, full credit card data, and transaction histories on tens of thousands of the banks' customers.