Hacking for profit
Extortionist hackers blackmailing businesses for bitcoins are on the rise - here's what we know about Armada Collective iStock

Move aside Anonymous – a new mysterious group of hackers is taking numerous firms and webmail providers offline using Distributed Denial of Service (DDoS) attacks, promising to stop if the victims pay bitcoin ransoms.

More about cybersecurity

DDoS attacks work by disrupting a website through flooding its servers with rapidly repeated requests for connection that usually come from hacked computers working as a botnet to send out lots of requests in a coordinated attack at the same time. But who is Armada Collective and is there any way we can stop this?

Armada Collective: What we know so far

In October, the Swiss government released an emergency alert warning Swiss companies about a new hacker group that was sending out blackmail emails followed by a DDoS attack against the victim's website lasting between 15 to 30 minutes in order to demonstrate its power.

Various sources claim the hackers have asked for between 10 to 30 bitcoins ($3,128 to $9,384, £2,059 to £6,178) in ransom demands and they threaten to increase their attacks and take the victim's service offline if they do not pay or talk to the media.

Six days after the Swiss government issued its alert, a source told The Nation four banks in Thailand had received a similar email threatening them and demanding bitcoin, but there has been no update since on whether the banks were attacked.

From: "Armada Collective" armadacollective@openmailbox.org
To: abuse@victimdomain; support@victimdomain; info@victimdomain
Subject: Ransom request: DDOS ATTACK!

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.

All your servers will be DDoS-ed starting Friday if you don't pay 20 Bitcoins @ XXX

When we say all, we mean all - users will not be able to access sites host with you at all.

Right now we will start 15 minutes attack on your site's IP (victims IP address). It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!

If you don't pay by Friday , attack will start, price to stop will increase to 40 BTC and will go up 20 BTC for every day of attack.

If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.

This is not a joke.

Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.

Prevent it all with just 20 BTC @ XXX

Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.

There might be two hacking groups, not one

In early November, seven alternative secure webmail services – ProtonMail, Zoho, Hushmail, FastMail, Neomailbox, VFEmail and Runbox – reported they were under sustained DDoS attack, with the attacks lasting for two to three days. Out of all the services, only ProtonMail, an encrypted mail service set up by CERN researchers, paid the ransom of 20 bitcoins, but after paying, the attacks continued.

According to ProtonMail, which worked with several IT-related divisions of the Swiss federal government, the webmail service was being targeted by not one, but two different hacking groups, as the first attack was similar to other DDoS attacks, but the second was much more sophisticated, targeting weak points in the infrastructure of ProtonMail's ISPs.

It could be possible that there is more than one hacking group carrying out these DDoS attacks, as after the second DDoS attack, one of the email addresses used by Armada Collective to send out blackmail demands was seen refunding small amounts of bitcoins to ProtonMail.

The bitcoins came together with bitcoin transaction comments such as "Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!" and "We are not attacking ProtonMail! Our attack was small, directed at their IP only and lasted 15 minutes only!"

Extortionist hackers are on the rise

No matter who Armada Collective is, the fact remains that in 2015, DDoS attacks have hit an all-time high, up 132% year-on-year from 2014, according to security and networking firm Akamai. Although DDoS attacks typically last for between 30 minutes to two hours, Akamai found that "mega attacks" peaked at over 1Tbps (1,000Gbps) and at 50 million packets per second.

The emails sent by the Armada Collective indicate it is capable of 1Tbps attacks but Akamai, which has seen several of its customers targeted, does not feel the hackers are a force to reckon with, because it has only detected attacks peaking at maximum speeds of 772Mbps.

According to Dave Larson, chief technical officer of Corero Network Security, we should not be too quick to dismiss the threat of extortionist hackers. "Web host and cloud solution providers like Akamai and CloudFlare, they don't see small attacks below a certain threshold, they allow them to go through the network, but a small-scale attack of just 500Mbps is more than enough knock out a firewall or an intrusion prevention system [IPS]," he said.

"93% of all DDoS attacks are less than 1Gbps. Small attacks are more insidious. DDoS is increasingly being used to mask and affect activity, so you can't just sample traffic to detect an attack at the edge of the network, you have to look at all the traffic."

Data centres need to take responsibility

Portugal Telecom's Covilha Data Centre
Data centres need to build better protections against DDoS attacks - they can't just focus on outdoor security, like this data centre in Portugal Portugal Telecom

ProtonMail said it agreed to pay the ransom out of fears that if it did not, other customers hosting websites the same data centre would be affected and taken offline – but this is exactly the problem, and what needs to be solved.

"A majority of data centres aren't protected against DDoS attacks. All upstream communication carriers like web hosts and cloud solution providers have an obligation to protect against this as they are the ones propagating these attacks," Larson said.

"To protect your business, this requires either having the intention to deploy the tech on your own data centre, or working with and pressuring your hosting or service provider to do it on your behalf."

If one customer's service or website hosted by a data centre is under attack, it affects all the other customers hosted by the same data centre, so data centres need to build in protection that can completely prevent DDoS attacks. Larson admits the technology is pricey but it is nowhere near how much money both companies and the data centre will lose from not having any protections in place at all.

This problem will not be going away

Larson says it will be very hard to discover exactly who these hackers are as DDoS attacks are able to attack targets with complete anonymity, and it will take the infrastructure capabilities of a government or multiple nations to pinpoint who the culprits are.

"Our customers are web hosts and service providers, and in the last year, 10 % of our customer base has come to us saying they have received ransom demands. It's a growing trend of bitcoin extortion and DDoS attacks to extort money from people. People should be worried about hackers like this. This is not a one-off situation," Larson told IBTimes UK.

"It is not difficult to execute this kind of attack. I don't think this will reduce in scope until it no longer becomes a profitable venture. We need to stand with folks who are being attacked and encourage them not to pay. Anyone who pays is only going to fuel the increase in ransom attacks.

"The hackers won't stop. There is no upper limit on what they can do. It's necessary that if folks
feel they are at risk, then they need to put a defence in front of their property. Expecting it to just go away is just naive."