DDoS extortion 2016: more Wizard of Oz con than deadly threat?

When the loathed DD4BC (DDoS for Bitcoin) extortion group took a tumble in January 2016, organisations across the developed world might have assumed the worst of the DDoS blackmail wave was over. It’s not 100 percent clear who or what DD4BC was but ‘Europol’s multi-nation Operation Pleiades’ in which two suspects were arrested that month in the Balkans seemed to kill stone dead the activity an organisation that had extorted large sums of money thousands of businesses in a matter of months.

It was an impressive response by police but unfortunately, as in past anti-cybercrime actions, it created a vacuum for opportunist groups to move into. Only a few months on and the names of these new groups have become well known as their threats have flooded business inboxes across Western Europe and beyond.

Despite this, with threatened DDoS attacks often not arriving, the nature of these entities have come under increasing question: do any of them actually exist in any meaningful way or are they increasingly just copycat chancers out to manipulate targets using threats? For those that have delivered, what is the size of this DDoS attack capability? Massive attacks are often threatened but rarely delivered. Equally, size has never been the only issue for most businesses as even small attacks can cause disruption.

Doubt spread far enough for one service provider, CloudFlare, to start mocking them with comparisons to the Wizard of Oz, the archetype of the fairy tale conman who appears terrifying but turns out to be anything but.

It now looks as if criminals have adopted DDoS brand names based on their notoriety rather than capability. They know that a threat, even one not carried out, generates risk. Business hate risk even if they suspect it won’t materialise. This is a clever form of psychology because it manipulates business orthodoxy of the last 30 years that businesses should manage risk as a primary element of their business.

The current brand leaders in this game include the following names. This is not an exhaustive list but it covers the ones police and providers consistently mention.

Armada Collective

Founded some time in 2015 this group went toe-to-toe with DD4BC as the most active in the DDoS extortion market and was almost certainly connected to them in some way.  Started with potent attacks on large organisations such as banks which have become less so over time, possibly after the disruption of DD4BC and the emergence of copycats.

The Swiss national CERT and Akamai have put out warnings about this group’s extortion MO which typically involves trying out smaller DDoS attacks in advance of a much larger one that often never arrives. Like all extortion, the power of this approach is psychological. It is still not clear what capability this group has but it has been potent enough to rake in anything form a few thousands to tens of thousands of euros (demanded in Bitcoins of course) just in case.

Copycats? Other groups seem to have built a living by pretending to be the Armada Collective which might have stopped operating after DD4BC. But the mere threat of an attack can often be enough.


A Polish language group connected to an attack Computerworld UK recently covered in some detail on a German payments processor (although, again, it might have been a clone using that name). Seems to have started attacking Polish companies before moving its attention to the UK and German. DDoS attacks launched up to around the 100Gbps mark, overwhelmingly nuisance volumetric attacks. Not sophisticated but persistent with plenty of copycats borrowing the brand’s notoriety. Kadyrovtsy still sends out huge number of extortion demands.

Lizard Squad 2.0

This rather loose group became infamous for semi-hacktivist DDoS attacks during 2014, largely directed towards gaming servers. After a handful of arrests connected to the group, things went quiet. In 2016, from nowhere, DDoS CloudFlare reported that its customers had started receiving ransom notes that claimed to be connected to Lizard Squad although these were almost certainly a borrowing of the brand by other cybercriminals hoping to use publicity to ramp up their threats.


Despite arrests connected to this group and the Armada Collective that possibly spawned it, demands are still being sent out in this group’s name, mainly to SMEs. The fact that the brand is still in circulation months after its alleged perpetrators have been arrested underlines the power of the brand in the DDoS extortion world.

Is DDoS a con?

One might conclude from this that DDoS criminal brands have become almost meaningless as copycat groups try their luck and yet, paradoxically, DDoS attacks are actually increasing in size, frequency and complexity.  Computerworld has run several stories in recent weeks about macro DDoS trends using data from mitigation firms and there’s no doubt it’s turned the Internet into a bit of a traffic battleground for a clutch of firms that run large datacentres. Most likely, DDoS is being used for a variety of purposes of which straight extortion is only one smaller subset.

Where does this leave the average business? Should they just ignore the threats?

James Chappell, co-founder and CTO of Digital Shadows, a UK startup that sells inside intelligence on threat groups, agrees that DDoS extortion has been consumed by the copycats.

“In DDoS the groups such as DD4BC and Armada Collective have bred a whole range of copycat groups.  In terms of scale it's tremendously challenging to put a precise figure on it due to the amount that goes unreported. But we do know that most enterprises experience these types of attack as routine,” he says.

However, whatever the potency of the current DDoS threats, he warns against just assuming threats will always be empty. The act that extortion in one form of another (ransomware and calculated data breach releases being other examples) has become the number one business model for criminals is ominous.

“Extortion has moved from being solely a targeted activity (historically in the gambling and gaming sector) to include a much higher volume of opportunistic attacks.  For this reason, it's become something that all businesses have to consider as part of their threat assessments.”

If DDoS drops in ransom success rates, ransomware attacks are still an alternative form of extortion that can be wielded and there the attacks are certainly not hypothetical. Extortion is a business model that can be used to attack businesses in all sort of ways.

Conclusion: don't be the cowardly lion

It is possible to call the bluff on the new wave of DDoS groups but the larger lesson is to come up with a plan for the day a ransom demand drops into the email inbox. Computerworld covered some of the lessons in an earlier article that looked at a real attack that happened in June 2016. We publish an amended version of that below:

- Inform your datacentre or ISP. This might seem obvious but it is critical that they know as soon as possible of the extortion threat. When choosing a datacentre makes sure it is one that is open to helping in these situations.

- Don’t pay the ransom and don’t communicate with the extortionists. “They might just attack anyway and ask for more money. They might come back under a new name. They might tell their friends that we are willing to pay.” They might also be bogus threats.

- Reach out to your partners for advice. Many of them will have had similar experiences. That is critical in terms of assessing the real risk. If a group using one of the names above (or a new name) signs the extortion note, knowing that they’re sending them to other businesses is important intelligence.

- Consider using DDoS mitigation and expert consultants. It costs but the price is small compared to the protection it offers. Techies or pen-testers with experience in DDoS can also offer the sort of advice that saves valuable time, including how the attackers operate.

- Phone the police. Police forces are no longer as slow of the mark as they used to be. In England and Wales, regional forces will often now have dedicated units and will be able to call on the expertise of specialist national units.


Copyright © 2016 IDG Communications, Inc.

9 steps to lock down corporate browsers
Shop Tech Products at Amazon