A report from Recorded Future, a real-time threat intelligence protection company, shows that DDoS-for-Bitcoin extortion schemes are here to stay, with more and more attacks being launched solely for this reason.
This trend can be tracked down to an Akamai report released over the summer that documented the actions of a hacking group known as DD4BC (DDoS 4 Bitcoin). This group launched DDoS attacks on companies around the world, requesting small payments in Bitcoin for each target.
The group's scheme was a simple one. They would send threatening emails to business owners, saying they would launch powerful DDoS attacks if a ransom was not paid in due time to a specific Bitcoin wallet. To prove their point, a small 15-minute DDoS was launched to showcase their capabilities. DD4BC's scheme proved to be extremely lucrative and allowed them to rack up Bitcoin over the past year in over 140 DDoS attacks.
The group was active since late 2014 and suddenly stopped its activity after the Akamai report was released, probably to avoid getting caught by law enforcement authorities alerted to their scheme.
Enter Armada Collective
Soon after, the first DD4BC copycat arose, in the form of the Armada Collective hackers, carrying out DDoS attacks on small businesses in Switzerland. They then expanded to email providers, and their name became known around the world in the famous ProtonMail incident. The incident is very well documented in one of our previous stories, but we'll give you a small summary. Basically, Armada Collective followed the DD4BC regular tactics, sending an email and launching a small 10-15 Gbps DDoS attack on ProtonMail.
As soon as the attack ended, ProtonMail revealed what happened, and more serious attacks took place, with ProtonMail paying the ransom in the end. Armada Collective denied any involvement and even went as far as to return the ProtonMail ransom, putting the blame on a state-sponsored actor with capabilities that far exceeded its own.
Enter the unknown copycat
But something else happened recently that made the Recorded Future team stop and ponder about the bigger picture, and that's the DDoS-for-Bitcoin attacks on three major Greek banks. With DD4BC and Armada Collective always launching small-scale attacks and requesting modest ransoms (the equivalent of a few thousand dollars), this new group attacking Greek banks does not fit the bill.
While the attacks of DD4BC and Armada Collective seem to be the work of script kiddies, the ones that brought down ProtonMail and the three major Greek banks were massive in scale. Coupled with the fact that this new group also requests ransoms in the order of millions of dollars, there are clear signs that they are a copycat that's trying to remain hidden by passing as Armada Collective (as stated in the email sent to the Greek banks). With the number of DDoS-for-Bitcoin attacks on the rise, this type of cyber-threat is about to evolve from the work of script kiddies to the normal MO of larger cyber-criminal syndicates.