Last week, the VPN service Cloak found a frightening message in its inbox:"We are Armada Collective," the email read. "We have launched the largest DDoS [distributed denial-of-service attack] in Swiss history and one of the largest DDoS attacks ever… All your servers will be DDoS-ed starting Monday (April 25) if you don’t pay our protection fee — exactly 10.06 Bitcoins." A bitcoin address was provided, along with a threat that for each day, the price would increase by an additional 10 bitcoin, roughly $4,400.
Cloak decided not to pay, pushing back with a note to users a few days later. "We apologize for any disruption as a result of these attacks; please know that we will do everything in our power to thwart them," the company wrote in a blog post today. "But let us reiterate: no matter what happens, we simply will not pay these garden-variety thugs." (The last sentence was later removed.) In the days that followed, the company discovered that a number of other VPN services had received the same note. Whoever was sending the threats had been busy.
The mysterious attackers were all talk
It’s unclear why Cloak and similar VPN services were targeted, but their infrastructure leaves them uniquely vulnerable to DDoS. Denial-of-service attacks work by sending floods of phony traffic to a service, making it impossible for administrators to distinguish between bad requests and legitimate users. Websites can mitigate that damage by rerouting traffic and caching pages across the network — but VPN services can’t protect themselves nearly as well.
When Monday came, however, the promised attack never arrived. Calling around, Peck found that other threatened VPN services had also come away clean. As it turned out, the mysterious attackers were all talk.
That routine turns out to be remarkably common, although most targets never go public. The same group that targeted Cloak sends nearly identical messages to between six and 10 targets every day, according to various estimates from content delivery networks. A recent post by CloudFlare identified more than 100 different attacks from the group since March. Even more surprising, CloudFlare couldn’t identify a single one that had resulted in a measurable denial-of-service attack. Whoever contacted Cloak is good at making threats, apparently, but has no interest in following through.
"We have customers that receive this on a quarterly basis."
That doesn’t mean nobody’s paying. CloudFlare reported more than $100,000 sent to Armada-linked bitcoin addresses since March. Often times, different attacks requested funds to be sent to identical Bitcoin addresses. Since Bitcoin wallets are typically anonymous, that would make it effectively impossible to tell which targets paid and which didn’t. (Strangely, someone appears to have sent $2 to the account named in Cloak’s ransom email, although it’s unclear where the money came from or why.)
The attack works because, historically, denial-of-service ransoms have been an effective and popular scheme for online criminals. Most targets never go public, but recent attacks were aimed at popular services like Meetup, Feedly, and even three Greek banks.
Over time, experts have seen attackers get lazier, sending out more messages but executing fewer and fewer attacks. "It’s a return on investment," says Yuri Frayman, CEO of ZenEdge, which specializes in mitigating denial-of-service attacks. "It doesn’t cost any money to send out a blanket of emails once you have the right contacts. You often get payments for almost no effort. It’s a spray-and-pray approach to getting paid."
In many cases, even a failed attack won’t deter criminals from trying again. "We have customers that receive this on a quarterly basis, and we consistently mitigate the attack for them, and the attackers come back a few months later almost as if it’s a robot," Frayman says.
Armada Collective is a particularly tricky case. The group became prominent in November after a major attack on a string of secure email services including ProtonMail, taking many of the services down for several days. But it’s not at all clear that the people who threatened Cloak are the same people who took down ProtonMail. In November, many analysts linked Armada Collective to an earlier group called DD4BC (DDoS For Bitcoin). Many DD4BC members were arrested by a Europol investigation in January. According to CloudFlare, Armada Collective threats have been largely quiet for the four months after the ProtonMail attacks. That suggests the new group may be a copycat that’s simply taken on Armada’s name as a way to scare targets.
Still, the rise of phony threats may cause problems for criminals in the long run. The traditional advice to a company targeted by a denial-of-service threat is not to pay on general principle. A target that pays encourages criminals and opens itself up to further demands down the road. After the latest back of threats, there may be a third reason: the criminals could very well be bluffing.