Brokerage firms warned: 12th July 2017 deadline to pay ransom or be DDoS-ed
DDoS perpetrators have sent blackmail notes to Malaysian brokerage firms last week, saying that they would crash these brokers’ online trading websites, unless they receive payment in bitcoins by a 12th July deadline. At publication time of this article, there are only 72 hours remaining for these brokerage firms to act.
If the ransom of 10 bitcoins is not paid by this deadline, the ransom amount would increase, and their victims would face large-scale and persistent multi-vector attacks.
The group that is claiming responsibility for these ransom notes is Armada Collective (AC), a hacking group apparently responsible for attacks in Taiwan and in 2015, Switzerland.
Just a few days later, last Friday, local Chinese newspaper Nanyang Siang Pau reported that RHB Investment Bank had been under a large scale attack for at least two hours.
No link between Armada Collective’s ransom notes and the attack upon RHB was established, but it is widely believed the attack was to serve as a reminder of the massive Distributed Denial of Service to come on the 12th or 13th of July, 2017.
Brokerage companies in Taiwan and Korea had also been sent the same ransom note earlier this year, in February and June respectively.
To date, it is believed that RHB wasn’t the only securities company affected, and that foreign securities companies and even banks were attacked as well.
EITN was informed by anonymous sources, that last week’s trading volume had dropped from 3 billion transactions to possibly half of that. They added however, that this reduction was of no material difference.
Industry experts view that online trading makes up about 20-percent of Bursa Malaysia’s market volume. Phone calls to remisiersbor dealers still make up a majority of its market volume.
Alan See, founder and CEO of Firmus, a local cybersecurity solutions and consultancy provider advises potential targets to work with their respective ISPs to block the DDoS attack. He also added, “We would like to advise brokers to instruct their online clients to call and submit trades through remisiers, if clients cannot access trading platforms, online.”
He shared that the local regulator, MCMC had directed ISPs to block the DDOS attack traffic, last Friday evening
A false alarm?
Will the Armada Collective follow through with their threat?
A blog post at CloudFlare seems to indicate that they won’t. One blog entry goes, “We heard from more than 100 existing and prospective CloudFlare customers who had received the Armada Collective’s emailed threats. We’ve also compared notes with other DDoS mitigation vendors with customers that had received similar threats.
Our conclusion was a bit of a surprise: we’ve been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack.”
Notably, the blog also adds:” In fact, because the extortion emails reuse Bitcoin addresses, there’s no way the Armada Collective can tell who has paid and who has not.”
However, the latest ransom note has this following line: ”Pay and we will know it’s you. AND YOU WILL NEVER AGAIN HEAR FROM US! Bitcoin is anonymous, nobody will ever know you cooperated.”
Take precautions, nevertheless…
So, will the DDoS attack happen or not?
See said, “It’s suspected that ‘Armada Collective’ was originally one of the names used by the DD4BC DDoS extortion group that emerged in 2014.”
He explained that the tactics used by AC is almost identical to that of DD4BC (an acronym for DDoS for Bit Coins). “In fact, this tactic led many to believe that this is still the DD4BC group, just performing under a different name.
“However, it appears more likely that the publicity surrounding DD4BC has sparked off two events – it caused DD4BC to scale back attacks for fear of being caught (they had attracted FBI attention earlier) and it also attracted copycats who want to prove that this model will work.”
See concluded, “We are actively providing DDoS mitigation solutions and services to our clients, ranging from on-premises to clean-pipe solutions to meet different requirements and budgets.”
He shared that according to the CIO of one brokerage company, this incident serves as a warning alarm to their board of directors and that now they are more aware cybersecurity is not an option in their business, but a must.