Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support)
Published on September 22, 2015 08:00 UTC by GovCERT.ch (permalink)
Last updated on April 29, 2016 08:10 UTC
A new wave of extortion emails has arrived in different Swiss Onlineshops. We have strong indications, that those extortioner are a copycat of Armada Collective.
Our recommendations regarding these extortion emails in Switzerland are the same as last year:Do not pay the ransom
Earlier this year, we warned about DD4BC, a hacker group that tried to extort money from high value targets in Switzerland and abroad. While DD4BC is still around, MELANI / GovCERT.ch as well as the Cybercrime Coordination Unit Switzerland (CYCO) did receive several independent reports from hosting Providers in Switzerland recently that they are being blackmailed by a hacker group that calls themselves Armada Collective.
The modus operandi observed was exactly the same as in the case of DD4BC: The Aramda Collective blackmails their victim, demanding 10 BTC (Bitcoins), which is around 2’500 CHF. At the same time, the hackers launch a Distributed Denial of Service Attack (DDoS) against the victim’s web site to demonstrate their power. This demo DDoS attack usually lasts for 15min – 30min, while the bandwidth varies from around 300Mbit/s up to 15GBit/s and occasionally even more.The attackers threats their victim that in case of non-paying, they will launch another, even bigger DDoS attack to bring the victims website down.
The attackers usually send their blackmail from either firstname.lastname@example.org or a similar email address at a free email service provider, using the subject "Ransom request: DDOS ATTACK!".
The blackmail may look like this:
From: "Armada Collective" email@example.com
To: abuse@victimdomain; support@victimdomain; info@victimdomain
Subject: Ransom request: DDOS ATTACK!
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE
We are Armada Collective.
All your servers will be DDoS-ed starting Friday if you don't pay 20
Bitcoins @ XXX
When we say all, we mean all - users will not be able to access sites
host with you at all.
Right now we will start 15 minutes attack on your site's IP
(victims IP address). It will not be hard, we will not crash it at the moment
to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!
If you don't pay by Friday , attack will start, price to stop will
increase to 40 BTC and will go up 20 BTC for every day of attack.
If you report this to media and try to get some free publicity by using
our name, instead of paying, attack will start permanently and will last
for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second.
So, no cheap protection will help.
Prevent it all with just 20 BTC @ XXX
Do not reply, we will probably not read. Pay and we will know its you.
AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.
In case of Armada Collective, our recommendations are the same as for DD4BC: Rather than give in and pay the Armada Collective a certain amount of Bitcoins, we recommend victims to talk to their Internet Services Provider (ISP) to discuss mitigation techniques, such as IP based rate limiting or (temporary) Geo IP address filter. In addition, MELANI / GovCERT.ch and CYCO recommends to file a criminal complaint at your local police and avoid any communication with the attackers.
Possible mitigation techniques (these have to be discussed with your ISP and / or upstream provider):
MELANI / GovCERT.ch has also published a more detailed set of recommendations to mitigate DDoS attacks. These recommendations are available in German, French, Italian and English.
Massnahmen gegen DDoS Attacken (German):
Mesures à prendre contre les attaques DDoS (French):
Misure contro attacchi DDoS (Italian):
Measures to counter DDoS attacks (English):
Back to top