Another group calling itself CyberTeam also tried to extract a ransom payment of 5 Bitcoin (~$20,000) from, the website of a prominent Swiss security researcher.

Screen Shot 2017-08-21 at 08.27.43
These DDoS threats in the hope of extracting Bitcoin payments are called DDoS-for-Bitcoin or RDoS (Ransom DDoS) attacks. RDoS attacks have been on the rise since mid-June after a South Korean hosting provider paid a ransom of nearly $1 million after web ransomware encrypted its customer servers.

Ever since then, RDoS groups became extremely active hoping for a similar payday. We’ve already covered the active groups at the time in an article here.

Group posing as Anonymous targeted US companies

Since then, the most prominent RDoS campaign that took place was in mid-July when a group using the name of the Anonymous hacker collective tried to extort payments from US companies under the threat of DDoS attacks.

At the time, Bleeping Computer obtained a copy of the ransom email from cyber-security firm Radware, who was investigating the threats.

Anonymous RDoS extortion

Radware said that despite posing as Anonymous hackers, this was the same group who tried to obtain ransoms of $315,000 from four South Korean banks (for these RDoS extortions the group posed as Armada Collective, another famous hacking crew).

“This is not an isolated case. This is a coordinated large-scale RDoS spam campaign that appears to be shifting across regions of the world,” Radware security researcher Daniel Smith told Bleeping Computer via email at the time.

“All ransom notes received have the same expiration date,” he added. “In RDoS spam campaigns like this one the actors threaten multiple victims with a 1Tbps attack on the same day.”

Most RDoS extortion attempts are empty threats

The group also claimed it was in control of a Mirai botnet made up of compromised IoT devices and was capable of launching DDoS attacks of 1 Tbps. No such attacks have been observed following the ransom demands on US companies.

In research presented at the USENIX security conference last week, researchers from Cisco, Akamai, Google, and three US universities revealed that despite having a reputation of being able to take down some of the largest online companies around, the most variants of the Mirai botnet were mainly used to target online gaming servers.

Most of these DDoS attacks on gaming servers were also relatively small as multiple botnets broke up IoT devices (DDoS resources) among them.

In addition to the group posing as Anonymous, Radware also reported on multiple RDoS extortion attempts on gaming providers that also took place in July.

“We suggest companies do not pay the ransom,” Smith said at the time, a recommendation still valid today, as this encourages more blackmailers to join in.