An unknown hacker
A hacker group is targeting web firms and demanding they pay ransoms to stop its sustained DDoS attacks iStock

A new mysterious group of hackers that calls itself the Armada Collective has targeted the website of a cyber security expert for highlighting its Distributed Denial of Service (DDoS) attacks and ransom demands against a wide number of Swiss firms, four Thai banks and most recently, the providers of secure webmail services.

UK cybersecurity expert Graham Cluley told IBTimes UK that his website has been under attack since he wrote an article on 10 November highlighting the activities of Armada Collective, in particular the fact that the hacking collective is currently running sustained DDoS attack campaigns against seven alternative email services: ProtonMail, Zoho, Hushmail, FastMail, Neomailbox, VFEmail and Runbox.

Over the past week, ProtonMail, an encrypted mail service set up by CERN researchers, has been in the news after it was hit by the DDoS attack on 3 November and then agreed to pay the hackers' ransom demand of 20 bitcoins ($6,369, £4,199).

Unfortunately, the attacks continued even after the ransom was paid, and the other six webmail services have categorically said that they will not be paying the ransom demand, even if the DDoS attacks disrupt their users' ability to access their emails. Cluley confirmed that his website is still under attack but said that he has not received a ransom demand.

ProtonMail wrote in a blog post: "This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us.

"We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision, so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom."

However, the Armada Collective's activities are not limited to just extorting bitcoins from webmail providers – as mentioned by ProtonMail above. The hackers targeted so many Swiss firms in October that the Swiss government put out an emergency alert about the group, and four Thai banks also received a similar ransom demand in the same month.

DDoS attacks work by disrupting a website through flooding its servers with rapidly repeated requests for connection, that usually come from hacked computers working as a botnet to send out lots of requests in a coordinated attack at the same time. In its ransom demand emails, Armada Collective claimed that its attacks generated traffic at speeds of 1Tbps, which is an immense amount of data to flood a server with.

Security and networking firm Akamai says that the Armada Collective has targeted several of its customers, but its researchers have found that the hacking group's DDoS attacks have in reality only peaked at maximum speeds of 772Mbps.

"Organisations should take the threat seriously. The nature of Armada Collective's operation and the successes it has obtained has lead Akamai's Security Intelligence Research Team to expect this and other groups to continue to increase its range of targets to other verticals," Bill Brenner, a senior tech writer with Akamai SIRT wrote in a blog post. "Companies susceptible to financial loss from downtime are at greatest risk."