Tech

How cybercriminals earned $100,000 just by sending a DDoS threat email

Just the threat of a crippling DDoS attack seems to be enough to get firms to pay up -- and Armada is cashing in.

Written by Charlie Osborne, Contributing Writer April 26, 2016 at 3:16 a.m. PT

A group called the Armada Collective are reaping the rewards of cybercrime by threatening jittery businesses with the idea of a DDoS attack -- without actually doing more than sending an email or two.

Security

Distributed denial-of-service (DDoS) attacks, while taking no technical expertise beyond knowing how to flood a website with traffic and causing it to crash, may not be sophisticated -- but can still cause serious damage.

In a modern landscape where the enterprise counts downtime as money (just ask the angry customers of 123reg, which managed to wipe out hundreds of businesses through a technical error), disruption can be costly.

Now, it seems merely the threat of a DDoS is enough for businesses to cave in and pay a cybercriminal's demand.

On Monday, US DDoS protection & web security provider CloudFlare revealed the results of an investigation into the Armada Collective, a cybergang which has been caught sending emails to corporations, threatening to bring them down with DDoS attacks unless they paid up in Bitcoin.

According to CloudFlare CEO Matthew Price, over 100 businesses have received the extortion emails, and many of which have paid up -- without there being a single example of Armada launching a DDoS attack against an entity which refused to pay up. Price said:

"In fact, because the extortion emails reuse Bitcoin addresses, there's no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments."

While it is not known exactly how many recipients have paid up, the "protection fee" ranges from 10 - 50 Bitcoin, which is roughly $4,600 - $23,000. Not only is there no consistency when it comes to how much is demanded, some victims have received multiple requests for the blackmail payment to be sent to the same Bitcoin wallet address.

However, according to Bitcoin analysis firm Chainanalysis, over $100,000 has been paid by spooked businesses to the cybercriminals.

CloudFlare notes that the current evolution of Armada is very different to the first group, under the same name, which went quiet in 2015. The first Armada did carry out their threats to DDoS firms -- sometimes reaching attacks over 60Gbps -- but after alleged members were arrested in 2016, it may be that a separate group has stolen the name to capitalize on other criminals' past exploits.

"While the actual members of the original Armada Collective appear locked up in a European jail, with little more than some Bitcoin addresses and an email account some enterprising individuals are drafting off the group's original name, sowing fear, and collecting hundreds of thousands of extorted dollars," Price noted.

"I'm hopeful this article will start appearing near the top of search results and help organizations act more rationally when they receive such a threat."