How do they proceed

Recent posts from "Threats

Cyberattack on tank logistics company Oiltanking

What companies should do in case of emergency

Why IT security must stay on the agenda

Recent posts from "Networks

Network Access Layer Switches

Securing IoT

Video Tip #51: Process Hacker

Recent articles from "Platforms

Containerization on the safe side

Secure Google Cloud Platform properly – even for free

The issue of robustness in cryptography is becoming increasingly urgent as the quantum age approaches. This poses further challenges for companies and nation states that need to protect their systems

The Future of Cryptography – Part 1

Latest articles from "Applications

The server-side approach to tag management removes obstacles and glitches that browser-side tags often struggle with and facilitates compliance with personal data obligations,

Reliable and secure data processing

Q5: APIs are a contract between the service provider and the service user. When an application uses an API, it must conform to an agreed standard, with implicit expectations. What happens behind the scenes is none of the consumer's business

F5 warns of costs due to operational overhead and security risks

In this video tip, we show how to monitor and control processes in real time using the open-source Process Hacker tool on Windows

Video Tip #51: Process Hacker

Commentary on Veracode’s SoSS Report 11

Recent articles from "Identity and Access Management

Untethered Labs' GateKeeper allows users to securely log in to their workstations without needing a password

GateKeeper from Untethered Labs

Artificial intelligence can imitate people's voices. Fraudsters are already exploiting this on the phone. A Bochum team is working on countermeasures

German Internet users are slow to change their habits: The most popular German passwords in 2021 are still insecure

Blockchain applications present privacy challenges, but with a little planning, they can be solved

DSGVO and the Blockchain in practice

  • Background
  • Coverage

Recent articles from "IT Awards

Security awareness training curricula should be tailored to the specific needs of different employee groups in the company

EDR systems use artificial intelligence and machine learning to identify conspicuous endpoint behaviors to detect malware and attacks

When WAFs are used in addition to existing security measures, they provide additional protection and allow, for example, the simultaneous closing of security gaps for several applications at the same time

  • Awareness and employees

Latest articles from "Security Management

The tank logistics company Oiltanking has been the victim of a cyberattack. All of the company's loading and unloading systems have been affected, preventing tankers from loading to supply customers

Cyberattack on tank logistics company Oiltanking

IT managers worldwide have the goal of achieving complete observability quickly and sustainably. This is the only way companies can get an all-around view of all telemetry data, including metrics, events, traces and logs

Pandemic accelerates path to comprehensive observability

A hacker attack comes as a shock to many organizations. The most important thing: stay calm and call in the experts

What companies should do in case of emergency

  • Head Geeks Speech
  • SAP Security
  • Definitions
  • Security startups
  • Security Corner
  • Security Management
  • Security Best Practices
  • (ISC)² and the authors

Latest articles from "Specials

Alice and Bob are synonymous names for communication partners to explain communication processes and cryptographic operations

Definition Alice and Bob

If IT professionals and their organizations fail to review potential threats and take action, they risk extremely serious consequences

Better collaboration between IT experts and executives

DevSecOps is an extension of the DevOps concept to include security aspects

  • Companies
  • Images
  • Podcasts

Latest articles from "IT Security Best Practices

XDR (Extended Detection and Response) detects attacks on endpoints early

Best Practices for Detection and Response

Effective emergency preparedness must also anticipate advanced attacks

Best Practices for Detection and Response

Protecting operational technology requires special security measures

Best Practices for OT Security

Security-by-design is especially important with cloud apps

Best practices for cloud applications

DDoS attacks against companies DDoS extortionists – who are they and how do they operate??

One in four companies in Germany has already been affected by DDoS extortions. Instead of just threatening via emails, perpetrators have recently been transmitting their demands for protection money in tweets and hidden within DDoS attack traffic. The extortionists themselves can be fundamentally divided into two groups: professionals and free riders.

Companies on the topic

There are different groups of cybercriminals who make money with DDoS extortion; some of them are professionals, others are just freeloaders.

In early 2018, a new type of DDoS extortion attack captured public attention. Instead of writing extortion emails, the perpetrator(s) delivered their protection demands in "packet captures" . The data packets are part of the new and extremely dangerous memcached reflection attacks that the Link11 Security Operation Center (LSOC) first observed in late February 2018.

The blackmailers demanded the ransom in the Monero cryptocurrency. Usually the demands are made in Bitcoin. Unlike Bitcoins, however, Monero offers more anonymity. All Monero transactions – across payment channels – remain invisible to outsiders. This makes tracking the flow of money – and thus solving the crimes – extremely difficult to completely impossible.

Since DDoS extortionists largely cover their tracks when communicating in addition to processing payments, they are rarely caught. Yet they leave traces. Nevertheless, since the launch of the first major wave of extortion attacks in Germany in 2015, LSOC has gathered and analyzed a great deal of information about the perpetrators. According to the nature of their actions, there are two main waves of DDoS criminals:

The professional extortionists of the first wave

The perpetrators of this group invest their knowledge, time and resources in thorough preparation of any DDoS attack. Companies are usually approached one at a time, one after the other. Before an attack

  • the blackmailers make sure that the victims are carefully selected,
  • Conduct comprehensive vulnerability tests,
  • present well visible demo attacks and
  • Send individual cover letters with a personalized bitcoin address.

Among the most well-known criminals using this approach:

DD4BC – "We are not amateurs"

DD4BC is internationally known since 2014 and active in Germany and Austria since 2015. Whether DD4BC is in fact an association of several cybercriminals or merely an individual is not known to this day. However, since the arrest of a suspected accomplice of DD4BC in December 2015 in Bosnia and Herzegovina, many things point to a group.

The goal of DD4BC was to extort Bitcoins. The amount of the demand varied depending on the industry and could be up to 50 Bitcoins. The victims included mainly large companies from the financial sector, SaaS and hosting providers, including numerous large banks in Germany.

The claim was backed up with a demo attack. Already in the first mail it was explained in English "We are not amateurs… If you are thinking about reporting this to authorities, feel free to try. But it won’t help."If the victim did not pay, a large DDoS attack began, the amount of money demanded increased.

The original Armada Collective – "cheap protection doesn’t help"

The original Armada Collective had been operating across Europe since the fall of 2015, with the focus of their attacks in Greece and the DACH region, among others. Their approach and way of communication was very similar to DD4BC’s. Victims included banks, hosting providers, data center operators, and e-commerce and online marketing agencies.

The warning times for the demo attacks, with which the perpetrator or perpetrators, underscored their demands, were short. Already in the first mail it was said, "Our attacks are extremely powerful … So, no cheap protection will help."

The amount of the claim varied between 20 and 30 bitcoins. Several recipients in one company were written to at the same time. In the attack on three Greek banks, the record sum of 20.000 Bitcoins required. According to the exchange rate at the time, that was the equivalent of about 7.3 million euros.

ZZb00t – "mentally disturbed Gray Hat"

The ZZb00t attacks in April/May 2017 were perpetrated by a lone perpetrator who wanted to use his DDoS attacks to draw attention to the lack of DDoS protection offered by companies and was seeking publicity. What was special about ZZb00t was that the perpetrator warned companies early on with numerous tweets before each of his attacks, giving them several hours to improve their cybersecurity. Only after that the shelling began.

The blackmailer’s target group included primarily IT service providers, but also companies in the logistics, telecommunications and e-commerce industries. All attacks were executed in a highly professional manner, simultaneously exploiting multiple vulnerabilities in companies’ security systems.

The perpetrator used to work as an IT security consultant and, according to his own statements, suffered from a "mental disorder". He referred to himself as "Gray Hat". In April 2018, he was given a suspended sentence of one year and 10 months.

The free riders of the second wave

The copycats among extortionists copy successful approaches of professional perpetrators.

For their DDoS attacks, they usually use:

  • Already published extortion letters,
  • A mass mailing for extortionist emails and
  • Often a bitcoin address for many.

Often they even appropriate the known names of the professional perpetrators to increase the fear among their victims.

Payment of the demands is usually not followed up by the second wave extortionists. Victims do not pay, threats are not put into action. DDoS attacks do not follow. Among the most well-known freeloaders are:

Lizard Squad – DDoS attack to order

The main target group of the original Lizard Squad included and still includes online game operators and social network platforms. The group is still highly active, although some of its leading members have been caught, put on trial and have already confessed to numerous extortions.

In April 2016, DDoS extortion by the so-called Wannebe Lizard Squad first came to light.

Armada Collective

Followers of Armada Collective have been repeatedly threatening businesses around the world since the summer of 2016. The copycats are bluffing in most cases. Using the threat of DDoS attacks alone, the perpetrators are said to have targeted more than 100.have earned $ 000.

New World Hacking Groups

The New World Hacking Groups group started making news in the fall of 2016. Their pseudonym was strongly reminiscent of the name of an internationally known hacker collective: the New World Hackers. They were supposed to have crippled the BBC’s website on New Year’s Eve 2015 with a DDoS attack of 602 Gbps. Free riders, on the other hand, are not known to implement DDoS attacks. In their extortion emails, whose texts are not copied from the Armada Collective or DD4BC, but are full of errors, they often used an identical Bitcoin address. "

The original New World Hackers were less than pleased by the DDoS extortions on their behalf on their Twitter account @NewWorldHacking. In a tweet, they clarified, "Once again. These are people claiming to be us. We don’t send out emails for such things, period."

Red Door – 3 bitcoins or an attack will follow

The e-commerce industry has been the main target of Red Door. The extortion letters were very similar to those of DD4BC. In its modus operandi, however, the grouping was more aligned with the original Armada Collective.

The demanded amount was usually 3 bitcoins, if time passed, the demanded amount increased. However, an attack did not follow.

Because the freeloaders often act under someone else’s name, it is usually impossible for those affected to see how serious the extortionists’ threat is and how likely a massive DDoS attack actually is in the event of non-payment.

Cyber extortion with Denial of Service can affect any company

The risk for the companies to become victims of DDoS extortion is very high. According to the latest statistics from Link11, of the companies surveyed in the past were already:

  • 32.5 percent affected by DDoS attack,
  • 21.5 percent have been threatened by DDoS extortionists,
  • 21.1 percent were prompted by an acute DDoS emergency situation to invest in DDoS protection.

Even if the payments to the extortionists are very rarely admitted by the companies, the economic damage to the companies is very high. The damage to the company’s image – once a DDoS attack becomes public knowledge – can even be devastating and cannot be quantified in monetary terms.

In addition to blackmail as a motive, DDoS attacks also hit their target seemingly out of nowhere. In 1. According to observations by the Link11 Security Operation Center, in the first quarter of 2018, over 14.000 DDoS attacks launched against targets in Germany, Austria and Switzerland.


Professional, comprehensive and – most importantly – early DDoS protection is the best way for businesses to sustainably protect themselves from widespread DDoS attacks. Because in order to save their own time and resources, most cybercriminals refrain from extortion as soon as they detect a functioning DDoS protection at the targeted company.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: