Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Published on November 8, 2015 08:35 UTC by GovCERT.ch (permalink)
Last updated on April 29, 2016 08:09 UTC
A new wave of extortion emails has arrived in different Swiss Onlineshops. We have strong indications, that those extortioner are a copycat of Armada Collective.
Our recommendations regarding these extortion emails in Switzerland are the same as last year:Do not pay the ransom
During the recent days and weeks, various Hosting Providers in Switzerland have been blackmailed by a hacking group that calls themselves Armada Collective. As the Distributed Denial of Service (DDoS) attacks carried out by the Armada Collective have grown in terms of intensity and frequency, we have decided to publish an update to our previous blog post about Armada Collective, providing a short overview on the current situation in Switzerland and some additional information.
Most of the hacking groups like the Armada Collective and DD4BC are suspected to use booters/stressers ("DDoS as a service") for their DDoS attacks. Hackers can "rent" DDoS attacks for a specific time period from such service, which often sell their DDoS services under the umbrella of "stress testers". The reason why such DDoS services are using this terminology is simple: They want to avoid being a target of actions from Law Enforcement, claiming that they only provide services to website owners to "test" anti DDoS mechanisms. But in fact, boosters / stressers do not verify if the targeted website is actually owned by the customer who ordered the DDoS attack. Due to this, anyone can order a DDoS attack against any website in the internet, and that just for a couple of dollars. Most of such booters / stressers are either using traditional botnets (infected computers – bots) or vulnerable or misconfigured servers in the internet for their attacks. They usually also provide a very user-friendly interface so that even people without much IT knowledge can use such services without any hassle. In addition, customers of such booter / stresser services have the choice between a vast amount of attack types, starting from traditional HTTP and TCP SYN flood up to more modern attack methods such as DNS amplification attacks.
Attacks on the network layer are normally much simpler and can affect any application or system. They target bandwidth or basic system resources which are usually limited. Most common network attacks are:
Attacks on the application layer are more diverse and are targeting a certain protocol or application. It is even possible to create very targeted attacks that exploit a certain weakness in an application, e.g. a search function that, for example, result in SQL queries that consumes much system resources. Some examples are:
From several attacks attributed to Armada Collective, we know that the attackers have used different types of the aforementioned attacks, namely DNS, NTP, SSDP and Chargen amplifications and reflection attacks.
We are aware that some organizations that have been blackmailed by hackers recently paid the ransom. We hereby want to outline that MELANI strongly advises victims not to pay under any circumstances. Even though we understand that being under DDoS attack is a very difficult situation and can threaten the operations of the targeting organisation seriously, paying the ransom is not a good option. It will only confirm that the DDoS extortion model actually works, motivating the attacker to continue his business and blackmailing even more victims. There is no guarantee that, after paying a ransom, the attack will stop. If you once pay for a ransom, other hackers might jump on the same train and will start blackmailing you as well (since they know that you are vulnerable to this kind of attack / extortion). Paying such groups fuels their business and gives the attackers even more financial possibilities. As the intensity and duration of DDoS attacks depends on how much money the attacker is willing to pay to the stresser/booter operator, paying the ransom to the attacker leads to bigger and longer attacks that are very cost-intensive to mitigate. Such attacks may then also hurt large ISPs and critical infrastructures.
Today, MELANI has also released a newsletter that highlights these facts more in-depth.
Ransom payments finance and strengthen DDoS attack infrastructure:
MELANI provides a factsheet with the most important points on mitigation strategies.
Massnahmen gegen DDoS Attacken (German):
Mesures à prendre contre les attaques DDoS (French):
Misure contro attacchi DDoS (Italian):
Measures to counter DDoS attacks (English):
Even though DDoS mitigation is, depending on the attack type and intensity, sometimes difficult and time-consuming, we are convinced that DDoS mitigation should be possible as every DDoS attack also consumes resources on the attacker’s side. Therefore, attackers may not be willing to continue such attacks over a longer time period. It is important that any organization is prepared to deal with DDoS attacks and having mitigation and backup strategies ready to in order to show attackers that your organization is not a helpless victim but well prepared and able to defend its systems and network against such attacks.
If an organization is under attack, we recommend to inform CYCO (Cybercrime Coordination Unit Switzerland) and the Reporting and Analysis Centre for Information Assurance (MELANI) in order to coordinate mitigations and penal prosecution efforts. We are also glad to receive packet dumps (pcaps) of such attacks in order to better understand the various attackers and to develop mitigation strategies. If you receive a blackmail, please send it to CYCO and MELANI as it may contain valuable information.
CYCO (Cybercrime Coordination Unit Switzerland):
Reporting and Analysis Centre for Information Assurance (MELANI):
Back to top