DDoS Protection , Security Operations

Greek Banks Face DDoS Shakedown

Attackers Demand Bitcoins to Cease Disruptions
Greek Banks Face DDoS Shakedown

Three Greek banks are the latest shakedown targets of online attackers, who recently began disrupting the banks' online sites via distributed denial-of-service attacks, demanding a payment in the Bitcoin cryptocurrency to avoid repeat disruptions.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

The banks' websites have been disrupted three times in less than a week, the Financial Times reports, citing Greek police and the country's central bank. The attackers claimed to be the hacking group known as Armada Collective and demanded a ransom payment of 20,000 bitcoins ($7.2 million) to call off their disruptions, the newspaper reports. But authorities - who have not released the names of the disrupted banks - say the group could just be using the name of the notorious DDoS gang to try to get more victims to pay up.

"No bank responded to this extortion, so the same hackers tried again at the weekend and today," a banking official told Financial Times on Nov. 30, noting that the banks have been working with their Internet service providers to bolster security defenses and network capacity (see FBI to Banks: DDoS Extortions Continue). "But we had strengthened our defense in the meantime, so no disruptions took place."

The attacks apparently disrupted banking operations at some points last week, albeit for only short periods of time. "All they achieved was to block the Web banking for a few hours. Nothing else," one Greek banker told Reuters, speaking on condition of anonymity. Another member of one of the targeted banks told the news agency: "We informed the police and the country's secret services are involved. ... It's an easy-to-handle situation. There is no need for bank clients to worry."

'Growing Trend of Aggression'

Security experts say these types of online extortion schemes are not new, from such outfits as the DDoS extortion group DDoS for Bitcoin - or DD4BC - which emerged in July 2014. "We have seen a lot of activity in relation to the DDoS-as-an-extortion technique being used by groups such as the Armada Collective and also DDB4C," says information security consultant Brian Honan, who heads Ireland's computer emergency response team.

The threat of DDoS disruptions and demand for a ransom payment in bitcoins - which makes it difficult to "follow the money" back to the attackers and identify them - is no surprise, authorities say. "Bitcoin features as the most common single payment mechanism used in extortion payments, accounting for approximately one third of cases," according to the 2015 Internet Organized Crime Threat Assessment from the association of European police agencies known as Europol.

The rise in extortion attacks is directly tied to more criminal syndicates now operating online, Europol's report says. "There is a growing trend of aggression in many cyber-attacks, and in particular the use of extortion, whether it is through sexual extortion, ransomware or by [DDoS] attacks," it says. "This boosts the psychological impact of fear and uncertainty it has on its victims. Whilst the cautious, stealthy approach goes with the stereotype of the uncertain, geeky hacker, the aggressive, confrontational approach of putting blunt pressure on individuals and businesses bears the signature of organized crime."

Speaking at the recent Irish Cyber Crime Conference in Dublin, Inspector Michael Gubbins from the Computer Crime Investigations Unit of An Garda Siochana - the Irish police - urged any business that receives a related ransom demand to "not panic," but to please call police, so they can help investigate as well as try to arrest or disrupt the actual attackers (see Irish Cybercrime Conference Targets Top Threats).

Any organization that receives a ransom demand should also review its business continuity plan, work closely with police and potentially put DDoS defense services in place, says Honan, who is also a cybersecurity adviser to Europol.

Paying Ransoms Never Pays

Criminals sometimes follow through on their threat to disrupt a business that they're attempting to extort. Earlier this year, the "Rex Mundi" hackers threatened to release stolen data on users of the French clinical laboratory Labio unless it received a 20,000 euro ($21,000) payoff. When the lab refused to pay, the hackers "doxed" the firm by releasing the stolen data.

But Honan urges organizations to never accede to ransom demands. "Don't pay the ransom," he says. "Anyone we've seen or dealt with that has not paid the ransom, all of them have not had a subsequent DDoS afterwards." Of course, that's no guarantee that the criminals won't follow through on their threat.

The fate for organizations that do pay ransoms, however, can be worse. For example, on Nov. 3, Geneva-based encrypted email service ProtonMail paid $6,000 worth of bitcoins to attackers claiming to be the Armada Group to call off their DDoS attack. But then they faced a second DDoS attack from someone claiming to be a separate group, apparently drawn by the promise of an easy shakedown. Meanwhile, rival firms HushMail, RunBox and VFEMail were also targeted within just days of the ProtonMail attacks, Financial Times reports.

It's not unusual for multiple DDoS extortion groups to target the same organization in rapid succession, says Carl Herberger, vice president of security solutions at security firm Radware, which offers DDoS defense services. In the case of ProtonMail, for example, which turned to Radware to help it block the DDoS attacks, "they paid the bitcoins, and the attack didn't stop," he says. He notes that copycat attacks are increasingly common and may also relate to gangs testing out new tools on organizations that they know have been disrupted by rivals' tools.

Herberger says attempted extortion attacks appear to be increasing, especially those targeting two groups: payment processors as well as many operators of the now more than 3,200 cryptocurrencies that are similar to Bitcoin. "It was almost the same ransom note sent to every single company," he says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.