[AusNOG] ATTENTION: Ransom request!!!

Jonathan Morgan jon at area1.com
Sat Jul 9 01:09:06 EST 2016 

We have also seen Armada Collective and this same threat before...We wrote
an article up which I'm attaching for those interested.

Best,

Jon Morgan


_________________________________________________________________
Jonathan T. Morgan | Area 1 | Director of Research Operations | m.
857.284.2009

https://www.linkedin.com/in/jonathantmorgan


   - Public Profilehttps://www.linkedin.com/in/jonathantmorgan


On Fri, Jul 8, 2016 at 9:21 AM, A <clonemeagain at gmail.com> wrote:

> Cloudflare have an interesting article on it:
> https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/
> On 8 Jul 2016 11:15 pm, "Keith Anderson" <keitha at apcs.com.au> wrote:
>
>> Hi All,
>>
>> Glad we have DoS filtering in place, hope it works.
>>
>> received this one yesterday.
>>
>> Have a good weekend all,
>>
>> ### HEADER
>>
>> Received: from removed [x.x.x.x])
>> by removed (Postfix) with ESMTP id E077333F9F
>> for <systemadmin at removed>; Thu,  7 Jul 2016 15:04:38 +1000 (PGT)
>> X-ASG-Debug-ID: 1467867840-06ff6519594ed72d0001-Vn5JKc
>> Received: from ks3293195.kimsufi.com (ks3293195.kimsufi.com [5.135.186.134])
>> by filter1-removed with ESMTP id zxmM3rWeIgLfLFeL for <Removed>; Thu, 07
>> Jul 2016 05:04:02 +0000 (GMT)
>> X-Barracuda-Envelope-From: armada.collective at gmail.com
>> X-Barracuda-Effective-Source-IP: ks3293195.kimsufi.com[5.135.186.134]
>> X-Barracuda-Apparent-Source-IP: 5.135.186.134
>> From: Armada Collective <armada.collective at gmail.com>
>> To: <sysadmin at r <sysadmin at datec.net.pg>emoved>
>> Subject: ATTENTION: Ransom request!!!
>> X-Barracuda-Connect: ks3293195.kimsufi.com[5.135.186.134]
>> X-Barracuda-Start-Time: 1467867841
>> X-Barracuda-URL: XXX
>> X-ASG-Orig-Subj: ATTENTION: Ransom request!!!
>> X-Barracuda-Scan-Msg-Size: 1266
>> X-Virus-Scanned: by bsmtpd at XXXX
>> X-Barracuda-BRTS-Status: 1
>> X-Barracuda-Spam-Score: 2.00
>> X-Barracuda-Spam-Status: No, SCORE=2.00 using global scores of
>> TAG_LEVEL=4.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=MISSING_DATE,
>> MISSING_MID, PLING_PLING
>> X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.31081
>> Rule breakdown below
>>  pts rule name              description
>> ---- ----------------------
>> --------------------------------------------------
>> 0.14 MISSING_MID            Missing Message-Id: header
>> 1.40 MISSING_DATE           Missing Date: header
>> 0.46 PLING_PLING            Subject has lots of exclamation marks
>> Message-ID: <20160707050438.7DECC16CC0B3 at filter1-X
>> <20160707050438.7DECC16CC0B3 at filter1-dc3.datec.net.pg>XX>
>> Date: Thu, 7 Jul 2016 05:04:38 +0000
>> Return-Path: armada.collective at gmail.com
>> MIME-Version: 1.0
>> Content-Type: text/plain
>> X-MS-Exchange-Organization-Network-Message-Id:
>> 07157968-b5a4-4cfa-da65-08d3a624c308
>> X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
>> X-MS-Exchange-Organization-AuthSource: POM.local
>> X-MS-Exchange-Organization-AuthAs: Anonymous
>> ### END FULL HEADER
>>
>>
>> -----Original Message-----
>> From: Armada Collective [mailto:armada.collective at gmail.com
>> <armada.collective at gmail.com>]
>> Sent: Thursday, 7 July 2016 3:05 PM
>> To: Removed
>> Subject: ATTENTION: Ransom request!!!
>>
>> FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE
>> DECISION!
>>
>> We are Armada Collective.
>>
>> All your servers will be DDoS-ed starting Saturday (Jul 9 2016) if you
>> don't pay 5 Bitcoins @ 14T7TxDxhhpYtgNgrK1hpe4UsfULZDhFoC
>>
>> When we say all, we mean all - users will not be able to access sites
>> host with you at all.
>>
>> Right now we will start 15 minutes attack on your site's IP X.X.X.X It
>> will not be hard, we will not crash it at the moment to try to minimize
>> eventual damage, which we want to avoid at this moment. It's just to prove
>> that this is not a hoax. Check your logs!
>>
>> If you don't pay by Saturday, attack will start, price to stop will
>> increase by 5 BTC for every day of attack.
>>
>> If you report this to media and try to get some free publicity by using
>> our name, instead of paying, attack will start permanently and will last
>> for a long time.
>>
>> This is not a joke.
>>
>> Our attacks are extremely powerful - sometimes over 1 Tbps per second.
>> So, no cheap protection will help.
>>
>> Prevent it all with just 5 BTC @ 14T7TxDxhhpYtgNgrK1hpe4UsfULZDhFoC
>>
>> Do not reply, we will probably not read. Pay and we will know its you.
>> AND YOU WILL NEVER AGAIN HEAR FROM US!
>>
>> Bitcoin is anonymous, nobody will ever know you cooperated.
>>
>> ———————————
>>
>>
>>
>>
>>
>> *apcsKeith Anderson l Managing DirectorAUS Mobile. +61 400 947 947
>> <%2B61%20400%20947%20947> Fax.  1300 7654 27 <1300%207654%2027>PNG
>> Phone. +675 303 1236 <%2B675%20303%201236>  Mobile. +675 76 947
>> 947   Fax. +675 325 9066 <%2B675%20325%209066>Email. keitha at apcs.com.au
>> <keitha at apcs.com.au> l Web. www.apcs.com.au <http://apcs.com.au/>*
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160708/dfaec024/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-2.tiff
Type: image/tiff
Size: 46058 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160708/dfaec024/attachment-0001.tiff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Area1_HR-20151207 (1).pdf
Type: application/pdf
Size: 487841 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160708/dfaec024/attachment-0001.pdf>

More information about the AusNOG mailing list