Financial institutions are a highly lucrative target for cyber criminals due to the sensitive data they hold and given the vast knock-on impact of any disruption to their day-to-day business operations. Indeed, consumers now have little tolerance for downtime and expect a sophisticated, round-the-clock user experience as standard. With this in mind, it is of little surprise that Distributed Denial of Service (DDoS) and ransomware attacks are on the rise against this sector in particular.
Our own security researchers recently identified a coordinated DDoS extortion and ransomware campaign, which has been targeting financial institutions in the last few weeks. Senior managers at the affected organisations received emails purporting to be from the Armada Collective. These emails, sent from the email address email@example.com, threatened that unless a payment of 1 BTC was made by a specified date and time, a 10-300 Gbps DDoS attack would be directed at the company. Additionally, the firms were also threatened that all computers on their networks would be attacked with the powerful Cerber ransomware, should they fail to pay the initial ransom.
The Armada Collective
The Armada Collective is an online threat actor that uses the threat of DDoS attacks to extort Bitcoin payments from its targets. The group first emerged in September 2015 when it attempted to extort money from Swiss hosting providers. From this point, the Armada Collective targeted email and domain services, a gambling website, financial institutions and a data centre between September and mid-December 2015. Nothing more was heard from the group until March 2016, when emails were sent to multiple Swiss financial institutions demanding a ransom payment. Interestingly, these threats were not accompanied by a ‘demonstration’ DDoS attack.
Research suggests that activity associated with the Armada Collective since December 2015 has been that of copycat actors. The high balances of some of the Bitcoin wallets associated with this recent activity indicates that some ransom payments have been made, despite the absence of accompanying DDoS attacks.
In June 2016, reports emerged of companies in the US, UK and Germany receiving extortion emails purporting to be sent by the Armada Collective. These emails featured the same basic messages as previous ones used by both the group and copycat actors, threatening that if the ransom was not paid, the target would be subjected to a 1Tbps DDoS attack. At the time of writing, only one company has been affected. Furthermore, other than a payment of 0.04BTC into one of the wallets, there has been no activity on any of the Bitcoin wallets referred to in these extortion emails.
The threat actors behind the extortion campaign targeting financial services organisations threatened to compromise the victims’ servers and databases through known vulnerabilities, subsequently attacking all ‘computers on the network’ with Cerber Ransomware, should the victim fail to pay the ransom. Cerber Ransomware is sold to distributors on underground Russian forums and is often distributed via exploit kits. It is a highly powerful form of ransomware that has been written with attention to detail, with rich configuration options and various tricks to make analysis more difficult. Researchers who have explored the capabilities of the ransomware expect it to gain popularity and demonstrate new tricks in the future.
It is our assessment that the threat actors have made reference to Cerber Ransomware in an attempt to increase their standing. A brief search of Cerber Ransomware may well be enough to convince a victim to pay the fee.
ProtonMail: An example where paying up did not work
In November 2015, ProtonMail, a Swiss-based end-to-end encrypted email provider, posted a statement on its website claiming to have experienced a ‘sustained’ DDoS attack. The company received an extortion email followed by the DDoS attack, which took the company offline for a period of 15 minutes. Unfortunately, ProtonMail was then subjected to a second attack, reaching 100Gbps; it decided to pay the 15 Bitcoin ransom – which, at the time equated to $5,672 – yet the attack continued.
The Armada Collective emailed the company to deny responsibility. Subsequent analysis determined that the first DDoS attack, which lasted 15 minutes, was volumetric and focused on the company’s IP addresses, while the second attack targeted weak points in the ISP infrastructure.
Extortion campaigns are, of course, not always successful. Our team has identified an extortion email that also claimed to be the work of the Armada Collective, which was sent to a UK-based company demanding Bitcoin payment to avoid a DDoS onslaught. The email was quarantined in the firm’s spam folder and was only discovered days after the ransom payment deadline. The company did not suffer a DDoS attack as a result, nor did the threat actors continue dialogue after the initial demand was sent.
It is wise for companies to actively stress test their DDoS mitigation procedures. The Armada Collective has previously attacked IP address ranges associated with a target, however, copycat threat actors have escalated this to target vulnerabilities in ISPs. In addition, those targeted should look up the source ISP of the service provider that sent the email and contact their abuse team. They may disable the source of the emails or alert the unsuspecting customer that may own the machine. Notifying the source ISP is helpful in reducing the amount of extortion emails.
Companies should also actively monitor all inbound communications and report any further extortion attempts to a security team that can assess the threat and advise accordingly. A comprehensive DDoS mitigation plan must be supported by ongoing security awareness training; employees should also be reminded to remain vigilant in respect to all email correspondence. All links and attachments should be treated with caution and should not be clicked or accessed if the source of the email is unknown.
With these types of attacks on the rise, having a disaster recovery plan in place is now a must for all organisations. It is wise to update computer systems as patches are released. Not only is this a good practice, it also enables companies to restore systems to a known safe state with minimal disruption to normal working practices.
To pay or not to pay
The current advice is that extortion payments should not be paid. Threat actors such as Armada Collective often adopt a scattergun approach, distributing emails to a number of targets in the hope that at least one is successful. At the current exchange rate, our researchers have identified relatively small Bitcoin payments being demanded, however, any payment made is ultimately supporting criminal activity and is also, as we have seen, no guarantee of protection.
A senior threat intelligence analyst within the research and innovation team at Nettitude, Phil provides in-depth analysis of a range of current threat actor trends. He has over a decade’s worth of experience working in UK military intelligence branches.