Many companies in Germany and Switzerland have received blackmail threats in the name of XMR-Squad since Monday (May 1, 2017). The Link11 Security Operation Center (LSOC) have been monitoring developments closely. The criminal group was recently in the news with its DDoS attacks on Hermes and DHL, but attention quickly dissipated. According to initial analysis, the LSOC assumes that this latest round of blackmailing is the work of copycats.
The method and appearance of the perpetrators in this later round differ in certain key aspects from those seen in the incidents between April 19 and April 26, 2017. The LSOC has released the following summary of the particulars as follows:
- In the first round of extortion, the perpetrators said that their demands were “testing fees” for checking the victims’ protection against DDoS attacks. The latest round no longer makes this claim; instead, even the subject line speaks of a “Ransom request.”
- The text of the emails has been largely copied from previously published blackmail attempts in the name of the Armada Collective. One of the new emails allegedly sent by the XRM-Squad can be read here. <Add link>
- Secondly, the XRM-Squad started a first wave of DDoS attacks and only then sought contact with its victims. There have been no demo attacks in this current round of incidents. As with extortion outfits such as the Borya Collective, RedDoor, and Caremini, the perpetrators could have tried to extort payments by Bitcoin merely with the threat of such attacks.
- The ransom demands in the current round are between 3 and 10 Bitcoin (about €4,000 to €13,000 as of May 2, 2017), well above the €250 that XMR tried to extort from its victims earlier in April.
XMR-Squad would not be the first extortion group to be imitated. It has become very popular to copycat the Armada Collective or Lizard Squad. Armada Collective first appeared in October 2015. There have since been repeated attempts at DDoS extortion in Germany and Switzerland under this name. Lizard Squad gained international fame with its DDoS attacks on the Xbox and Playstation networks on Christmas 2014.
The LSOC is in contact with many of the companies contacted by XMR-Squad and will closely monitor events as they unfold. It is still unclear whether the perpetrators will actually implement the DDoS attacks of up to 500 Gbps as announced.