4

2 days ago, we received an ransom email from Armada Collective, followed by 1 hour of DDos attack. This group has been in the news recently (http://www.forbes.com/sites/thomasbrewster/2015/11/09/armada-bitcoin-crooks-go-big/)

here is the email we received:

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE
DECISION!


We are Armada Collective.

If you haven heard for us, use Google. Recently, we have launched some of
the largest DDoS attacks in history
Check this out, for example:
https://twitter.com/optucker/status/665470164411023360 (and it was
measured while we were DDoS-ing 3 other sites at the same time)

Your site will be DDoS-ed starting Tuesday if you don't pay 25
Bitcoins @ ...

Right now we will start 30 minutes attack on your site. It will not be
hard, we will not crash it at the moment to try to minimize eventual
damage, which we want to avoid at this moment. It's just to prove that
this is not a hoax. Check your logs!

If you don't pay by Wednesday, massive attack will start, price to stop will
increase to 50 BTC and will go up 25 BTC for every day of attack.

If you report this to media and try to get some free publicity by using
our name, instead of paying, attack will start permanently and will last
for a long time.

This is not a joke.

Our attacks are extremely powerful - sometimes over 1 Tbps per second. And
our bots can even bypass CloudFlare's (and similar cheap protections)
javacript visitors check. So, no cheap protection will help.

Prevent it all with just 25 BTC @ ...

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL
NEVER AGAIN HEAR FROM US!

And nobody will ever know you cooperated.

We are not sure what to do. We have the following options:

  1. move our servers to Amazon cloud
  2. contact third party services to help
  3. pay ransom

Currently, we are leaning not paying any ransom since it will encourage such behavior. We don't know #1 will help or not. We have contacted some third party providers who have experiences in such area, but it can be very expensive to handle 1Tbps per second attack.

Any suggestions will be greatly appreciated. Thanks!

PeterJ
  • 41
  • 2
  • 4. Report this to your ISP. – joeqwerty Nov 21 '15 at 21:29
  • This [NANOG talk](https://www.youtube.com/watch?v=ySwYidBv1ro) has lots of relevant information. – kasperd Nov 21 '15 at 21:34
  • 3
    One key piece of advice here is to ensure that you are not a profitable target. Those criminals will go after targets they think are profitable. That immediately rules out option 3. If you pay them anything, you can expect them to be back again (possibly under disguise of being another group of criminals applying the same tactics). – kasperd Nov 21 '15 at 21:42
  • 2
    I have seen this before, ignored it and nothing happened. – user9517 Nov 21 '15 at 21:42
  • 1
    @Iain That sounds sensible. Pretending you never saw the email and deal with the attack the same way you would have if you hadn't seen the email sounds like a good approach. – kasperd Nov 21 '15 at 21:50
  • 1
    Perhaps also forward the email (with headers) to the FBI just in case they are already looking into that group. Their website has a simple form to fill out. In preperation of the attack, lower the TTL of your domain a little and be ready to change your public IP and/or use a CDN as your new IP. Beyond that, I agree ignoring the email is a good idea. – Aaron Nov 21 '15 at 22:30
  • Hi, as adviced before - you shouldn't pay anything to a criminals. Is DDoS is a threat for you ? If yes - the best option is a hire a good server operation engineer. But you can use any of DDoS protection service, like cloudflare, which have many options for, and can be free for you. – BaZZiliO Nov 21 '15 at 23:49
  • 1
    Yes, we have reached the conclusion internally that we won't pay any ransom. However, the threat is the real, it took down our site for 2 hours couple days ago. The next wave will be on Wednesday. We have contacted the third party services Cloudflare and Incapasular. The cheapest option is 2000 ~ 4000 a month with a 12 month contract. It is rather expensive, but we don't have much choice at this moment. – PeterJ Nov 22 '15 at 00:35
  • Could you proxy your site / service through AWS (or similar)? Have them host the 'public face' and route the requests to you via VPN. Not highly / long term practical but might alleviate some of the pain. – ethrbunny Nov 22 '15 at 01:06
  • we have considered that, but it can run up the cost quickly if DDos takes a lot AWS bandwidth, also it's possible Amazon can shut us down. – PeterJ Nov 22 '15 at 02:39

0 Answers0