Three new DDoS extortioners are active in parallel in Europe
Additionally to the Meridian Collective, the Xball Team and the Collective Amadeus are currently blackmailing companies by way of DDoS-attacks.
Currently, several DDoS extortionist gangs are active in Germany, Austria, Switzerland and other European countries, such as Norway, Great Britain and Spain. Many companies, however, also individuals who have registered a domain with a host, have been prompted for bitcoin payments. Additionally to DDoS-attacks, they are also threatened with the encryption of their hard disks and the disclosure of hacked data. The Meridian Collective (German source), the Xball Team and the Collective Amadeus presented themselves as the senders. According to the Link11 Security Operation Center (LSOC), one and the same perpetrator is probably behind these three groups.
Meridian Collective was the first to appear
Since June 13th, 2017, numerous companies in Germany have received DDoS-extortion emails in the name of the "Meridian Collective". The perpetrator(s) demand a protection payment of 1 Bitcoin to prevent DDoS-attacks of several 100 Gbps. Meridian Collective follows the same pattern as known from previous DDoS-perpetrators such as RedDoor (German source), New World Hacking Groups, Borya Collective, and imitators of the Armada Collective.
Thus, the extortion message is almost identical to the text sent by the alleged Armada Collective (German source) to finance companies in Germany in August 2016. The new perpetrators solely replaced their own name, the payment period, the amount of the Bitcoin demands, as well as the Bitcoin address. As in the original version, Meridian Collective also maintained the threat of disk encryption.
Excerpt from one of the extortion messages:
"We, HACKER TEAM - Meridian Collective
1 - We checked your security system. The system works is very bad
2 - On Friday 16_06_2017_8:00p.m. GMT !!! We begin to attack your network servers and computers
3 - We will produce a powerful DDoS attack - up to 200 Gbps
4 - Your servers will be hacking the database is damaged
5 - All data will be encrypted on computers Crypto-Ransomware
4 - You can stop the attack beginning, if payment 1 bitcoin to bitcoin ADDRESS: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
5 - Do you have time to pay. If you do not pay before the attack 1 bitcoin the price will increase to 5 bitcoins
6 - After payment we will advice how to fix bugs in your system"
The offender(s) operate(s) with partly different Bitcoin-addresses, threaten with DDoS bandwidths of between 200 Gbps and 300 Gbps (German source) and besides German, they also addressed Spanish and British companies.
Not only Team Xball threatens DDoS-attacks
The first to announce itself was the Xball Team, or the Xball Collective. The extortion emails available to the LSOC date from June 15, 2017. Unlike Meridian Collective, the perpetrators also threatened to disclose hacked data, additionally to DDoS-attacks, as well as a hard disk encryption.
The emails were sent with the subject "Attention" or "Warning" followed by a 7-digit number. The payment period was to be 1 hour earlier than in the case of the extortions by the Meridian Collective, namely at 7 am (GMT) on Friday, June 16, 2017.
Excerpt from one of the extortion emails on behalf of the Xball Team:
"We are the Team Xball and we have chosen your website/network as target for our next DDoS attack. Unfortunately your data was leaked in the recent hacking of the web site and we now have your information. We have DataBase tax forms, DOB, Names, Addresses, Credit card details, bank account full details and more sensitive data. Now, we can publish your details and your clients online who would damage the rating of the company and would create many problems for you. On Friday 16_06_2017_7:00p.m. GMT !!! We begin to attack your network servers and computers We will produce a powerful DDoS attack - up to 250 Gbps All data will be encrypted on computers Crypto-Ransomware You can stop the attack beginning, if payment 1 bitcoin (2900 $). Do you have time to pay. If you do not pay before the attack 1 bitcoin the price will increase to 10 bitcoins Please send the bitcoin to the following Bitcoin address: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Once you have paid we will automatically get informed that it was your payment."
When selecting its victims, the Xball Team primarily focused on volume. Thus, it did not only address enterprises but also threatened individuals who did not run an online shop or professional website.
The Collective Amadeus is also active
The "Collective Amadeus" or "collective of Amadeus" threatened to unleash a whole package of cyber-attacks on their victims, should the protection money of 1 Bitcoin not be paid. The emails were also sent on June 15th and were practically identical to those of the Xball Team. The various statements regarding the payment period were new:
"On Friday 06-16 9:00 pm GMT !!! We begin to attack your network servers and computers "and" On 6/17/2017 6:23:59 AM + 36 Hours !!! We begin to attack your network servers and computers"
The LSOC assumes that all three DDoS extortioners, Meridian Collective, Team Xball and Collective Amadeus are the same offender(s). Many payment periods have already elapsed without any DDoS-attacks, hard disk encryptions, or data disclosures being registered.
Cases of DDoS-extortion have increased since the beginning of the year
Since the beginning of 2017, the LSOC has already recorded three very aggressive waves of DDoS-attacks and extortion. The perpetrators behind them - Stealth Ravens, XMR-Squad and the ZZb00t, who was imprisoned for a short time - went from words to action and repeatedly launched DDoS-attacks. No attack activity has yet been reported on behalf of Meridian Collective. The payment period stated for all the addressed companies will expire on Friday, June 16.
The LSOC recommends to not give in to extortion under any circumstances. In the case of a DDoS-attack, the affected companies are advised to form a crisis team and set up a contingency plan. The DDoS protection experts also recommend informing the internet provider and to provide preventive information about protective measures against DDoS-attacks.