DDoS attack

The $1 million ransom payment paid last week by South Korean web hosting company Nayana has sparked new extortion attempts on South Korean companies.

According to local media, seven banks have received emails that asked the organizations to pay ransoms of nearly $315,000 or suffer downtime via DDoS attacks.

Only five of the seven targets are publicly known, which are also the country's biggest financial institutions: KB Kookmin Bank, Shinhan Bank, Woori Bank, KEB Hana Bank, and NH Bank.

Ransom demands made by Armada Collective

The ransom demands were signed by a group of "Armada Collective," a name that has a long history behind it.

The group first appeared in 2015, and they are considered one of the hacker groups that popularized ransom DDoS (RDoS) attacks alongside another group known as DD4BC (DDoS-for-Bitcoin).

While Europol apprehended suspects behind the DD4BC group, the people behind Armada Collective were never caught, and their tactics seem to have evolved across time.

Armada Collective and RDoS attacks over time

Radware, a cyber-security company that tracks RDoS attacks on a consistent basis, says the group has gone through two main stages.

In the beginning, the group targeted a small number of targets, all from the same industry, and launched demo DDoS attacks to prove their claims and force the hand of victims into paying the ransom.

After a successful extortion of the ProtonMail secure email service in late 2015 that got a lot of media attention, the group appeared to have gone into hiding, but then returned in 2016.

This time around, the group's tactics changed, and Armada Collective — or impostors posing as the group — only made empty threats, targeting a large number of companies, all at the same time, from different sectors, and rarely launched any DDoS attacks to prove their claims.

Armada Collective's RDoS attacks in 2016 were hardly noticed. Because of the group and DD4BC's success, numerous other actors entered the DDoS ransom market niche, such as New World Hackers, Lizard Squad (copycats), Kadyrovtsy, RedDoor, ezBTC, Borya Collective, and others.

Most of these groups issued empty threats, a common theme with RDoS groups in 2016, also continued in 2017, with new groups such as Stealth Ravens, XMR Squad, ZZb00t, Meridian Collective, Xball Team, and Collective Amadeus. Furthermore, empty DDoS threats from groups posing as Anonymous have been the norm for the past two years, with the most recent wave being detected just last week.

Nayana's payment may lead to more attacks on South Korea

Last week, Armada Collective's name resurfaced after a long period of silence. The ransom demands were sent — not surprisingly — just two days after news broke in the international press that a South Korean web hosting company paid over $1 million in a ransomware demand.

Nayana's payment was the largest ransomware payment ever made and may have involuntarily put a giant bullseye on the backs of all South Korean businesses, now considered more willing to pay outrageous ransom demands to be left alone.

The Armada Collective ransom letters sent last week to South Korean banks said the group would launch DDoS attacks on the targeted banks today, June 26, and double their ransom demand.

At the time of writing, the attacks didn't take place, based on evidence available in the public domain. Nonetheless, the attackers won't be discouraged by this initial refusal, and if they truly have the ability to launch crippling DDoS attacks like the ones that targeted ProtonMail, then South Korean banks and other businesses are in for a long summer.