[AusNOG] ATTENTION: Ransom request!!!

Skeeve Stevens skeeve+ausnog at eintellegonetworks.com
Mon Jul 11 14:21:09 EST 2016 

Yes.  Of the 10 or so I've seen this year, I've seen (I think) 2 or 3 go
through with it and a DoS attack hitting within the window.  I've not seen
anyone pay.

The problem is, this crap is so easy to automate.

Best thing to do is let them hit you and be prepared with an anti-DDoS from
someone like Micron21. Have it so that you can bring up over an Elastic
Fabric very quickly... and have it pre-configured and ready to go.

So:
1. Ignore the payment
2. Prepare to be hit with an attack
3. When the attack does nothing, they won't bother you again




...Skeeve

*Skeeve Stevens - Founder & The Architect* - eintellego Networks Pty Ltd
Email: skeeve at eintellegonetworks.com ; Web: eintellegonetworks.com

Cell +61 (0)414 753 383 ; Skype: skeeve ; LinkedIn: /in/skeeve
<http://linkedin.com/in/skeeve> ; Expert360: Profile
<https://expert360.com/profile/d54a9> ; Keybase: https://keybase.io/skeeve

On Mon, Jul 11, 2016 at 1:59 PM, Paul Baker <Paul.Baker at vocus.com.au> wrote:

> I believe these are a real threat, albeit from a lazy attacker. We’ve
> experienced large attacks accompanying identical threat emails from the
> group. They rarely ever follow up after the deadline comes, or follow up
> with a 48 hours time extension, then give up. Has anyone experienced
> anything more than the initial 15 minute “warning attack”?
>
> Regards,
>
> Paul Baker | Network Architect (Innovation and Network Strategy)
>
> D: +61 2 8999 8134   E: Paul.Baker at vocus.com.au
> P: 1300 88 99 88 or +61 2 8999 8999  W: vocus.com.au
> A: Level 2, 20 Bridge Street, Sydney, NSW 2000, Australia
>
> From: AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Keith
> Anderson <keitha at apcs.com.au>
> Date: Sunday, 10 July 2016 at 11:21 AM
> To: Luca Salvatore <luca at digitalocean.com>
> Cc: "ausnog at ausnog. net List" <ausnog at ausnog.net>
> Subject: Re: [AusNOG] ATTENTION: Ransom request!!!
>
> Hi All,
>
> Well the time came and went, was as disappointing as Y2K, a non event.
>
> Have a good weekend all, whats left of it….
>
> ThanksKeith
>
>
>
> * apcs Keith Anderson l Managing Director AUS Mobile. +61 400 947 947
> Fax.   1300 7654 27 PNG Phone. +675 303 1236  Mobile. +675 76 947
> 947   Fax. +675 325 9066 Email. keitha at apcs.com.au
> <keitha at apcs.com.au> l Web.  www.apcs.com.au <http://apcs.com.au/> *
>
>
> *
> <?ui=2&ik=d2db47af47&view=fimg&th=155d81c625b52d43&attid=0.1&disp=emb&attbid=ANGjdJ9Ep9TQpUNTbAv8yKuvsrye66srSKUQitaQ5HHzV-Eu5oQ5tNv9BgnhRX2t8rHqYSlZS4P8S3Z5XaZ-kEzCALEQeJJxYbVZa540-MfvTNJMc0cV5J7M-toO1Pk&sz=s0-l75-ft&ats=1468210059683&rm=155d81c625b52d43&zw&atsh=0>PastedGraphic-2.tiff
> *
>
> On 9 Jul 2016, at 1:55 AM, Luca Salvatore <luca at digitalocean.com> wrote:
>
> They are fake... nothing ever happens.  We've had a bunch of threats from
> them and it never eventuates into anything.
>
> On Fri, Jul 8, 2016 at 9:21 AM, A <clonemeagain at gmail.com> wrote:
>
>> Cloudflare have an interesting article on it:
>> https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/
>> On 8 Jul 2016 11:15 pm, "Keith Anderson" <keitha at apcs.com.au> wrote:
>>
>>> Hi All,
>>>
>>> Glad we have DoS filtering in place, hope it works.
>>>
>>> received this one yesterday.
>>>
>>> Have a good weekend all,
>>>
>>> ### HEADER
>>>
>>> Received: from removed [x.x.x.x])
>>> by removed (Postfix) with ESMTP id E077333F9F
>>> for <systemadmin at removed>; Thu,  7 Jul 2016 15:04:38 +1000 (PGT)
>>> X-ASG-Debug-ID: 1467867840-06ff6519594ed72d0001-Vn5JKc
>>> Received: from ks3293195.kimsufi.com (ks3293195.kimsufi.com [5.135.186.134])
>>> by filter1-removed with ESMTP id zxmM3rWeIgLfLFeL for <Removed>; Thu, 07
>>> Jul 2016 05:04:02 +0000 (GMT)
>>> X-Barracuda-Envelope-From: armada.collective at gmail.com
>>> X-Barracuda-Effective-Source-IP: ks3293195.kimsufi.com[5.135.186.134]
>>> X-Barracuda-Apparent-Source-IP: 5.135.186.134
>>> From: Armada Collective <armada.collective at gmail.com>
>>> To: <sysadmin at r <sysadmin at datec.net.pg>emoved>
>>> Subject: ATTENTION: Ransom request!!!
>>> X-Barracuda-Connect: ks3293195.kimsufi.com[5.135.186.134]
>>> X-Barracuda-Start-Time: 1467867841
>>> X-Barracuda-URL: XXX
>>> X-ASG-Orig-Subj: ATTENTION: Ransom request!!!
>>> X-Barracuda-Scan-Msg-Size: 1266
>>> X-Virus-Scanned: by bsmtpd at XXXX
>>> X-Barracuda-BRTS-Status: 1
>>> X-Barracuda-Spam-Score: 2.00
>>> X-Barracuda-Spam-Status: No, SCORE=2.00 using global scores of
>>> TAG_LEVEL=4.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=MISSING_DATE,
>>> MISSING_MID, PLING_PLING
>>> X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.31081
>>> Rule breakdown below
>>>  pts rule name              description
>>> ---- ----------------------
>>> --------------------------------------------------
>>> 0.14 MISSING_MID            Missing Message-Id: header
>>> 1.40 MISSING_DATE           Missing Date: header
>>> 0.46 PLING_PLING            Subject has lots of exclamation marks
>>> Message-ID: <20160707050438.7DECC16CC0B3 at filter1-X
>>> <20160707050438.7DECC16CC0B3 at filter1-dc3.datec.net.pg>XX>
>>> Date: Thu, 7 Jul 2016 05:04:38 +0000
>>> Return-Path: armada.collective at gmail.com
>>> MIME-Version: 1.0
>>> Content-Type: text/plain
>>> X-MS-Exchange-Organization-Network-Message-Id:
>>> 07157968-b5a4-4cfa-da65-08d3a624c308
>>> X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
>>> X-MS-Exchange-Organization-AuthSource: POM.local
>>> X-MS-Exchange-Organization-AuthAs: Anonymous
>>> ### END FULL HEADER
>>>
>>>
>>> -----Original Message-----
>>> From: Armada Collective [mailto:armada.collective at gmail.com
>>> <armada.collective at gmail.com>]
>>> Sent: Thursday, 7 July 2016 3:05 PM
>>> To: Removed
>>> Subject: ATTENTION: Ransom request!!!
>>>
>>> FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE
>>> DECISION!
>>>
>>> We are Armada Collective.
>>>
>>> All your servers will be DDoS-ed starting Saturday (Jul 9 2016) if you
>>> don't pay 5 Bitcoins @ 14T7TxDxhhpYtgNgrK1hpe4UsfULZDhFoC
>>>
>>> When we say all, we mean all - users will not be able to access sites
>>> host with you at all.
>>>
>>> Right now we will start 15 minutes attack on your site's IP X.X.X.X It
>>> will not be hard, we will not crash it at the moment to try to minimize
>>> eventual damage, which we want to avoid at this moment. It's just to prove
>>> that this is not a hoax. Check your logs!
>>>
>>> If you don't pay by Saturday, attack will start, price to stop will
>>> increase by 5 BTC for every day of attack.
>>>
>>> If you report this to media and try to get some free publicity by using
>>> our name, instead of paying, attack will start permanently and will last
>>> for a long time.
>>>
>>> This is not a joke.
>>>
>>> Our attacks are extremely powerful - sometimes over 1 Tbps per second.
>>> So, no cheap protection will help.
>>>
>>> Prevent it all with just 5 BTC @ 14T7TxDxhhpYtgNgrK1hpe4UsfULZDhFoC
>>>
>>> Do not reply, we will probably not read. Pay and we will know its you.
>>> AND YOU WILL NEVER AGAIN HEAR FROM US!
>>>
>>> Bitcoin is anonymous, nobody will ever know you cooperated.
>>>
>>> ———————————
>>>
>>>
>>>
>>>
>>>
>>> * apcs Keith Anderson l Managing Director AUS Mobile. +61 400 947 947
>>> <%2B61%20400%20947%20947>  Fax.   1300 7654 27 <1300%207654%2027> PNG
>>> Phone. +675 303 1236 <%2B675%20303%201236>  Mobile. +675 76 947
>>> 947   Fax. +675 325 9066 <%2B675%20325%209066> Email. keitha at apcs.com.au
>>> <keitha at apcs.com.au> l Web.  www.apcs.com.au <http://apcs.com.au/> *
>>>
>>>
>>> * <PastedGraphic-2.tiff> *
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
>
> --
> Luca Salvatore
> Manager, Network Team | DigitalOcean
> Phone: +1 (929) 214-7242
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160711/4a181c3c/attachment.html>

More information about the AusNOG mailing list