Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/7/2015
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Extortion, DDoS-For-Bitcoin Campaigns Rise

Now that the model is proven, more cyber-extortionists are entering the scene, stealing their predecessors' ideas and even their names.

Whether it be via DDoS, doxing threats, or ransomware, attackers extorting victims for cash via electronic means is growing, and Bitcoin may be partly to blame for the increase, according to researchers at Recorded Future

"Bitcoin attracted more miscreants to the space," says Tyler Bradshaw, solutions engineer for Recorded Future. Because it's a relatively new, the unregulated currency allows extortionists to accept payments anonymously.

While ransomware operators are generally indiscriminate about targets, go after individuals, and request small ransoms of 1 to 2 BTC (currently approximately $349 to $698), DDoS extortionists take the opposite approach.

Last year, the threat group DD4BC (short for "DDoS for Bitcoin") first emerged. DD4BC's modus operandi was to threaten a company with a major distributed denial of service -- on the magnitude of 400-500 Gbps -- prove it could compromise the network by carrying out a low-level warning attack of roughly 10-20 Gbps, and demand a payment to prevent a large-scale DDoS. According to Recorded Future, DD4BC has attacked over 140 companies in this way.

According to a report by researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) released in September, the group first targeted online gaming and online currency exchanges -- which would be reluctant to request help from law enforcement. They then shifted attention to financial services companies, tweaking the attack to include a threat of publicly embarrasing the company by revealing, via social media, the company had been DDoSed. 

DD4BC's ransom demands ranged from 10 BTC to as much as 200 BTC (currently $3,940 to $78,788), often starting low and increasing the price the longer the victim failed to pay up.

DD4BC did not actually seem to be capable of carrying out the 400-500 Gbps-scale attack they threatened. The worst Akamai detected was 56 Gbps. Yet, the threats and warning attacks were enough to convince targets to pay the ransom.

As Akamai PLXsert wrote in its September report:

PLXsert believes copycats will enter the game, increasing these types of attacks. In fact,
copycats may already be sending their own ransom letters, piggybacking on the reputation
of dd4bc.

That's precisely what has happened, according to Recorded Future.

In the wake of Akamai's report, DD4BC's own activity sharply decreased, but a new group called Armada Collective showed up on the scene, using the same model DD4BC had used.

One of Armada Collective's victims was ProtonMail, an encrypted email service provider. Yet even after ProtonMail paid the extortion fee, the attacks increased and became more sophisticated. According to the Recorded Future report:

ProtonMail claimed this second attack was a “coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes.” In fact, ProtonMail has stated that the second attack appears to be nation-state sponsored.

The Armada Collective vehemently denied involvement in this second attack, despite their own warnings of a larger attack. They even refunded bitcoins to ProtonMail in order to send messages such as:

“Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!” and “WE DO NOT HAVE THAT POWER! NOT EVEN CLOSE.”

Then last week, news broke that three Greek banks were hit with DDoS attacks, claiming to be committed by the Armada Collective. However, the extortion amount requested was a whopping 20,000 BTC, or $7.85 million at current value, from each bank.

"That's why it was a red flag for me," says Bradshaw, "that this might not be the Armada Collective," either. The size of the ransom was too high for the original Armada Collective, which also tended to go for targets that were unlikely to involve law enforcement.

A bank official told the Financial Times last month, "No bank responded to this extortion, so the same hackers tried again at the weekend and today. But we had strengthened our defence in the meantime, so no disruptions took place."

Why would an attack group hijack another's handle? "They may be using the name because it's easier to ride those coattails without doing any work first," says Bradshaw, explaining that threats from an established threat actor may be taken more seriously by targets. Plus, it gives law enforcement a false trail to follow. "If something goes down, the eyes are not pointed at them," he says.

Although cyber-extortion is increasing, the success of each attack campaign depends upon combining the right technological capabilities with the right price point. Last week, not only did the Greek banks not pay Armada Collective the $7.85 million request, but three banks in the United Arab Emirates refused to pay an attacker called Hacker Buba a $3 million payout. In response, Hacker Buba publicly dumped personal information, full credit card data, and transaction histories on tens of thousands of the banks' customers.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ilgioa
50%
50%
ilgioa,
User Rank: Apprentice
12/11/2015 | 8:25:04 AM
"Threatened", not "hit"
Greek banks have been "threatened with", not "hit by" DDoS attacks.

"Hit" suggests that attacks have been launched and all of them have been successful.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2319
PUBLISHED: 2019-12-12
HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM84...
CVE-2019-2320
PUBLISHED: 2019-12-12
Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ805...
CVE-2019-2321
PUBLISHED: 2019-12-12
Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdra...
CVE-2019-2337
PUBLISHED: 2019-12-12
While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ809...
CVE-2019-2338
PUBLISHED: 2019-12-12
Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastruc...