DDoS Extortion - Almost Universally an Empty Threat

Published: 2016-06-27
Last Updated: 2016-06-27 22:04:04 UTC
by John Bambenek (Version: 1)
2 comment(s)

Last year there was an emergence of threats of DDoS against financial websites (that eventually broadened to others) under the DD4BC moniker.  Eventually that morphed into Armada Collective with both stopping around December of 2015 with the arrest of a minor in Central Europe.  Starting in March, threatening emails resumed from Armada Collective threatening massive DDoS attacks if a ransom wasn't paid.  Occasionally they would use booter services to deliver smaller attacks threatening larger ones.  Over at CloudFlare, there is a good write up on the latest round of threats.  The short answer is that these latest threats rarely even include the predecessor attack, there is just someone who is spamming people with a bitcoin wallet and hoping to get paid (and unfortunately they are).  The moral of the story is that the actors behind sending emails demanding ransom or DDoS are rarely to be taken seriously.  Don't pay.

John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

2 comment(s)


I try to teach people that stopping DDOS attacks are fairly simple if they are attacking an ip address (just disconnect the ingress and change your mac address/ip address), however if they are attacking a named address ie yourweb.net it can be aggravating, but still manageable. There should be however some sort of national firewall to prevent the amplification attacks, if there isnt. Ive noticed most of my DDOS/amplification attacks coming from foreign servers.
One indication of whether it may be legit is to take the Bitcoin address and append it to this URL:


That will tell you if anyone has paid up. If so, you know they are simply spamming multitudes of people and they actually have no way to know if it was you who paid up or someone else. You also can Google the address and see if anyone else mentions it in a post.

Diary Archives