I got an email threatening to DDOS me if I don't pay a ransom. What should I do?

Question

I received the following email, addressed to me at an email address on my personal domain (for which I run my own mail server on a VPS):

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective. lmgtfy URL here

Your network will be DDoS-ed starting 12:00 UTC on 08 May 2016 if you don't pay protection fee - 10 Bitcoins @ some-bitcoin-address

If you don't pay by 12:00 UTC on 08 May 2016, attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.

This is not a joke.

Our attacks are extremely powerful - sometimes over 1 Tbps per second. And we pass CloudFlare and others remote protections! So, no cheap protection will help.

Prevent it all with just 10 BTC @ some-bitcoin-address

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.

Obviously, I'm not going to pay the ransom. Should I do anything else?

Update:

I forwarded the email and original headers to the originating ISP. They replied that "Measures have been taken." So, umm, yay? I guess?

I've heard about this group in particular. They never actually ddos anyone. — Rápli András, May 05 '16 at 00:26
I would say get behind CloudFlare (and change and hide your real IP). While the email is probably fake and you probably wont get DDOSed, it never hurts to get some protection. When they say that they can pass CloudFlares protection they are probably lying. After all the 1 Tbps claim looks like a lie to me, so this is not very honest people... — Anders, May 05 '16 at 01:17
I agree that the claim sounds fishy. Getting around Cloudfare and doing a 1 Tbps attack would be a newsworthy attack (I think the largest recorded was 400 Gbps back in January 2016). Not something you would be going to small companies and making $4000 dollar threats about. — Cody P, May 05 '16 at 06:20
@CodyP 1Tbps is already a lot, then what is 1Tbps per second? — Hagen von Eitzen, May 05 '16 at 06:57
@HagenvonEitzen Not only is it a fast attack... _its accelerating_ — James T, May 05 '16 at 08:10
@JamesTrotter At 1 Tbps/s, how long until they saturate the worldwide Internet? I don't know what the global available bandwidth is, but would hazard a guess that we'd be looking at Pb/s range figures. So at that rate, they would saturate the Internet in maybe an hour. If the threat was true as written, also origin ISPs would scramble to stop them if only to save their own bottom line. — user, May 05 '16 at 09:33
Several of my customers have received identical threats, no DDoS'es have been observed. Bottomline: don't pay, contact local law enforcement agencies (extortion is a criminal offense in most countries at least), and make sure you have procedure for dealing with attacks ready (which have you should in any case). — Teun Vink, May 05 '16 at 11:05
Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/39346/discussion-on-question-by-alexw-i-got-an-email-threatening-to-ddos-me-if-i-dont). — schroeder, May 05 '16 at 16:30
The *really* scary thing here is that this actually appears to be working (based on looking up some of the BTC addresses used in these emails, because bitcoin is not that anonymous), meaning there are people gullible enough to believe this and pay in charge of some of these companies. — Alexander O'Mara, May 05 '16 at 21:04
@AlexanderO'Mara it is also possible that they are "priming the pump" by sending money to their own BTC addresses. — alexw, May 05 '16 at 21:52
The company I work for was "accosted" by these guys a few months back. They did actually DDoS the site for 30 minutes, and then they started contacting our customer service inbox asking for the bitcoin ransom. Turns out, our DDoS mitigation system was broke, so they actually did us a favour! They kept sending the threatening e-mails for about two weeks, but we just called their bluff and ignored them. I still read the e-mails sometimes and laugh about it, management actually held a meeting to consider paying these guys! — SamBC, May 05 '16 at 07:49
I just love the part where they were asking your customer service for the ransom. I can easily imaging it: "_Hey, we recently DDOS'ed your company and didn't yet receive our payment. Could you forward this to your management, please?_" — Sebb, May 05 '16 at 14:10
Since I'm CEO and CTO, I held a brief meeting in my head, which went like this: CEO: "Hey Alex, should we pay the ransom?" CTO: "Hell no." CEO: "But what if they make good on their threat?" CTO: "So what? We don't make enough money that it would matter. Also, I'd rather spend the $4K on mitigation and/or . Also, screw those guys." CEO: "Oh, right." — alexw, May 05 '16 at 15:36
Your DDoS system was broke? No wonder you didn't pay; your DDoS system couldn't afford it! — wizzwizz4, May 05 '16 at 17:14
@Ant it would make it seem like other people are paying the ransom. So, I might be more likely to think the threat is real and pay if I see other people paying. — alexw, May 06 '16 at 16:33
This looks like the assassination threat spam: https://www.sophos.com/en-us/press-office/press-releases/2007/01/deathphish.aspx — dr_, May 06 '16 at 19:57
@alexw True, but by the time you see that "people are paying" you've already seen that "they can't tell who pays" and "Bitcoin isn't as anonymous as they claim." Hence, I think they probably actually got paid that money. Or else they're really that dumb and didn't think it all though... — Nateowami, May 08 '16 at 13:20
@Nateowami that's some fairly circular logic. Here's some straightforward logic: this is more "legitimate" than a nigerian prince scam, and people fall for those all the time. I have zero doubt that they have gotten paid. — Jason, May 10 '16 at 13:54
@Jason I don't understand what you're getting at. How is my logic circular? While I agree priming the pump is unnecessary, my point is that it doesn't help them *at all*. Anyone who checks the ledger and sees that they have been paid should also realize that because they reuse addresses there is no way for them to know who pays. A real DDoSer would not reuse addresses. — Nateowami, May 11 '16 at 01:18
I find myself wondering how much CloudFlare paid to be mentioned in this email. I mean DDoS attacks are bad and all but wow ads are getting aggressive. — candied_orange, May 11 '16 at 06:26
@Nateowami "priming the pump is useless because you can't see who sent the money, therefore because they have money in their wallet I believe they've actually been paid" - which is exactly the conclusion that priming the pump is supposed to help you reach. — Jason, May 11 '16 at 13:40
@Jason That wasn't my point, but I see what you're saying now. My point was that they will never know if you pay or not. Hence, anyone that sees that people pay, should also realize that everyone who paid was tricked, because the scammer can't even tell who is paying and who isn't. See [this comment](http://security.stackexchange.com/questions/122336/i-got-an-email-threatening-to-ddos-me-if-i-dont-pay-a-ransom-what-should-i-do?noredirect=1#comment224752_122337). — Nateowami, May 11 '16 at 14:51
Did you get DDos'ed? Or it was fake? I'm just asking because we got the same email and since I read this before, I just knew that was a fake threat. — Nighthunter22, Jun 22 '16 at 07:13
Their a bunch of idiots to put a LMGTFY URL since it shows that they are hackers (the URL is there on the CloudFlare blog) — Suici Doga, Jul 08 '16 at 13:11

score 107 · Answer 1 · answered May 05 '16 at 00:12

107

This article might be important for you: https://ca.news.yahoo.com/armada-collective-ddos-threats-were-212413418.html

Someone has been copying the Armada Collective's email content to scare people into paying, but no attacks have been recorded.

So, possibly, you don't have to do anything.

answered May 05 '16 at 00:12

schroeder

125,553
55
289
326

1

Same story basis, different source http://www.theregister.co.uk/2016/05/04/empty_ddos_threats_reloaded/ for those wanting more than one resource – gabe3886 May 05 '16 at 12:24
2

Also more info on the Cloudflare blog: https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/ – Jonas Czech May 05 '16 at 15:56
84

Crucial aspect: `the extortion emails reuse Bitcoin addresses, there's no way the Armada Collective can tell who has paid and who has not` (from the CloudFare blog). That gives one sufficient condition for knowing the email was fake - it if reuses a known bitcoin address that's been used in similar emails, it is overwhelmingly likely to be fake. – E.P. May 05 '16 at 17:03

Trey Blalock · Accepted Answer · 2016-12-02T00:38:44.353

98

Based on the following article you may simply want to ignore it. This seems to be a common scam and your e-mail looks almost exactly like the one from the following article.

http://arstechnica.com/security/2016/04/businesses-pay-100000-to-ddos-extortionists-who-never-ddos-anyone/

Look up the source ISP of the service provider that sent the e-mail and contact their abuse team abuse@company.com. They may disable the source of the e-mails or alert the unsuspecting customer that may own the machine. Notifying the source ISP is helpful to reduce the amount of this. Make sure you send them an e-mail with full headers. If the source appears to be a compromised system at a large company I would notify them in addition to the ISP. Do this by CC'ing both the company and the ISP at the same time for fastest results. Keep in mind some malicious systems may also be impersonating as a compromised host even though it's not so notifying the ISP may actually be more important than notifying the owner of the system.

edited Dec 02 '16 at 00:38

answered May 05 '16 at 00:13

Trey Blalock

14,109
6
43
49

8

Looks like they sent it from yourserver.se, through openmailbox.org. I guess I should contact yourserver.se. – alexw May 05 '16 at 00:26
4

I like the part where they say they'll know it's you that paid, but then go on to say bitcoin is anonymous and nobody will know you co-operated. Contradicts themselves, kinda. *"Pay and we will know its you [...] Bitcoin is anonymous, nobody will ever know you cooperated."* – hd. May 09 '16 at 10:46
16

@hd. not necessarily, if they create a bitcoin address per victim they can identify which victim send them money. While other people couldn't because they don't know which bitcoin address the victim was told to send the money to – Elva May 09 '16 at 15:57

David Glickman · Answer 3 · 2016-05-06T08:48:51.627

53

Ignore it.

Cloudflare themselves have stated that these are fake - see https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/ I highly recommend that you read this article, as it is a very clear explanation from the front line. The armada collective is a real DDOS group, but some con artists are just using their name to try to scare people. The Bitcoin address is apparently the same on all their emails, which means that they will never know who has paid them.
It is possible to track the amounts paid to a Bitcoin address and it seems they have made over $100K from this scam!

Bottom line, DDOS threats should be backed up by proof (perhaps a DDOS of 15 mins) before you pay up.

EDIT: Just to clarify as it seems from the comments that I wasn't clear enough.
I don't mean to give an opinion whether payment should be made or not. Always have good security, and if a threat causes you to decide to spend money - either by paying the demand or by purchasing DDOS protection that you wouldn't otherwise need - check that the threat is legitimate first by demanding more proof than what might be just an empty threat.

edited May 06 '16 at 08:48

answered May 05 '16 at 08:40

David Glickman

1,344
1
9
17

4

http://imgur.com/iLUE7BU – alexw May 05 '16 at 15:43
A quick internet search pulls up at least a few different bitcoin addresses have been used, so either they caught on, there are multiple groups doing this, or CloudFlare didn't have a large enough sampling. – Alexander O'Mara May 05 '16 at 21:07
If any address is used more than once, they cannot identify who has paid money to them via that address. – David Glickman May 05 '16 at 22:08
6

@Erik, I interpreted the last sentence as advice to attackers to prove their abilities by actually performing a DDOS for 15 minutes before expecting payment. Kind of an odd statement to include on this site, but the alternate version makes sense: "Have good security. Ignore any DDOS threat/demand for ransom unless there is actual evidence that it has teeth. Then, handle your vulnerability to DDOS (and then continue to ignore the threats)." – Wildcard May 06 '16 at 03:05
Not saying that you should or shouldn't pay. Paying DDOS or ransomware demands is a matter of opinion which we could discuss at length. There have been some high profile cases in USA where hospitals have paid out for ransomware. I've clarified my answer to wildcard's correct interpretation, except with the proviso that some people might actually want to pay. I'm not about to give advice to DDOS attackers, although I think that the 'legitimate' ones are probably quite annoyed by these guys! – David Glickman May 06 '16 at 08:50
Wow people are really paying those guys? – Gigala May 10 '16 at 07:22

score 18 · Answer 4 · answered May 05 '16 at 10:09

If you are in the UK please do this:

Message sent by Action Fraud (Action Fraud, Administrator, National)

Within the past 24 hours a number of businesses throughout the UK have received extortion demands from a group calling themselves ‘Lizard Squad’.

Method of Attack: The group have sent emails demanding payment of 5 Bitcoins, to be paid by a certain time and date. The email states that this demand will increase by 5 Bitcoins for each day that it goes unpaid.

If their demand is not met, they have threatened to launch a Denial of Service attack against the businesses’ websites and networks, taking them offline until payment is made.

The demand states that once their actions have started, they cannot be undone.

What to do if you’ve received one of these demands:

Report it to Action Fraud by calling 0300 123 2040 or by using the online reporting tool
Do not pay the demand
Retain the original emails (with headers)
Maintain a timeline of the attack, recording all times, type and content of the contact

If you are experiencing a DDoS right now you should:

Report it to Action Fraud by calling 0300 123 2040 immediately.
Call your Internet Service Provider (ISP) (or hosting provider if you do not host your own Web server), tell them you are under attack and ask for help.
Keep a timeline of events and save server logs, web logs, email logs, any packet capture, network graphs, reports etc.

Get Safe Online top tips for protecting your business from a DDoS:

Consider the likelihood and risks to your organisation of a DDoS attack, and put appropriate threat reduction/mitigation measures in place.
If you consider that protection is necessary, speak to a DDoS prevention specialist.
Whether you are at risk of a DDoS attack or not, you should have the hosting facilities in place to handle large, unexpected volumes of website hits.

lizard squad where disbanded after last years PSN attacks, these threats have been proved to be fake http://www.ibtimes.co.uk/fake-lizard-squad-ddos-demands-hit-uk-businesses-spurring-police-warning-1558049 — James Kirkby, May 05 '16 at 10:46
Thanks, I'm in the US but I'm sure this will be useful for others. — alexw, May 05 '16 at 16:00
@JamesKirkby yeah, but its still useful info for the next bunch of ******** who do have their purchased bot network ready to go. — gbjbaanb, May 05 '16 at 16:06

Pepijn Schmitz · Answer 5 · 2016-05-06T16:29:59.510

7

Pay and we will know its you.

This is the thing: an empty threat looking exactly like what you have there has been going around, which always has the same bitcoin address in it. In other words: they can't know it's you if you pay, and therefore the threat must be a bluff. Still, hundreds of thousands of dollars have reportedly been sent to that address, by people taken in by it...

To find out if it is a bluff, google the bitcoin address. I imagine you'll quickly be able to find out whether they sent you a unique one, in which case you have reason to worry, or not.

Steve Gibson talked about this on episode 557 of his Security Now podcast (transcript here). My money is on it being a bluff, since your text appears to be word for word the same as what Steve Gibson talks about.

edited May 06 '16 at 16:29

answered May 06 '16 at 16:09

Pepijn Schmitz

341
1
7

I only found the bitcoin address they sent, mentioned on one other website. However, who knows how many other people have received this same address. It does not appear that anyone has made any payments to the address at this time. – alexw May 06 '16 at 18:43
2

@alexw I'd say even one find is enough to conclude it's a bluff. They could only tell that you're the one who paid if they send you, and only you, a unique address. – Pepijn Schmitz May 06 '16 at 19:40

score 5 · Answer 6 · edited May 11 '16 at 11:35

This threatening email seems to be just that: a threat.

You don't have to tolerate it, whatever they will do, this is plain extortion.

Report it to:

your hosting company, by sending them an original copy of the threatening E-mail (with all headers in their original form. Transfer as an attachment within any professional E-mail client),
your national security agency or specialised IT police department with an original copy of the threatening E-mail.

[...] the world is in greater peril from those who tolerate or encourage evil
than from those who actually commit it.
Albert Einstein

score 3 · Answer 7 · answered May 05 '16 at 12:59

Seems like a bluff for all the reasons given in other answers.

If they're planning to DDoS you with sheer bandwidth then they aren't just DDoSing you, they'd be attacking the network connection of your VPS.

Therefore, even though this attack seems unlikely, it's probably best to inform your VPS vendor that the threat has occurred. They might tell you to ignore it (and future threats), but since it will affect them if it ever happens then the courteous thing to do is let them know and find out their policy. They've probably seen threats like this before and if so they have more experience than you deciding whether and when to involve law enforcement.

Of course this depends to an extent on your VPS vendor: if you happen to know that their customer service is unresponsive or incompetent then there's not a lot you can do in that direction.

score -1 · Answer 8 · answered May 10 '16 at 08:12

Do nothing, it's probably a bot sending you that email anyway. They don't know your IP address and won't find out if you don't reply either. Even if they do, you might notice your connection starts lagging out. In that case, simply inform your ISP and request a new IP address, problem solved.

I got an email threatening to DDOS me if I don't pay a ransom. What should I do?

8 Answers8