Over the past month, a number of Imperva Incapsula customers have received email threats from DD4BC — a DDoS group that, despite its boyband-sounding name, was actually responsible for several high-profile DDoS extortion attacks against bitcoin companies last year.
DD4BC’s previous attacks targeted bitcoin exchanges and gaming sites, presumably due to the assumption that these types of businesses would refrain from reporting attacks to law enforcement authorities. Based on the recent threats we’ve seen, it would appear that DD4BC has also started targeting the payment industry.
In this post we wanted to share our insights into these attacks so companies can better prepare themselves to deal with such an extortion scenario.
MO: Blunt Ransom Email Followed by Low-Volume DDoS Attack
The attacks we observed began with a blunt email (see below). This email informs the victim that a low-level DDoS attack is already underway- “DD4BC’s way of letting victims know that it means business.
True to the typical ransom DDoS MO, DD4BC’s email also threatened to launch a second, much larger offensive unless the victim pays a 40 BTC (~$9,200) ransom within 24 hours.
To make sure the threat is taken seriously, the email also mentioned the group’s supposed capability to launch 400+Gbps UDP flood attacks. Whether or not DD4BC has the botnet resources to execute this threat remains unclear.
Based on our experience, however, the assault that we observed consisted of a small application layer DDoS attack, peaking at 150 requests per second. This was accompanied by a medium-sized network layer attack that maxed out at 40Gbps that targeted our own IP addresses, likely as a result of the ‘IP masking‘ effect of using Incapsula’s reverse proxy CDN.
While each of these offensives could potentially take down most small and medium-sized websites, they were of little concern to solutions built for DDoS protection. Consequently, both threats were successfully mitigated, the attackers never came back and, of course, no ransom was ever paid.
From Hunted to (Bounty) Hunter
This latest wave of attacks against payment companies is not the first campaign of this nature to be launched by DD4BC. In fact, evidence of their mischief goes as far back as November 2014 with a threat to the Bitalo Bitcoin exchange. Not only did Bitalo refuse to pay the requested ransom, it slapped a bounty on DD4BC’s head to the tune of 100x the ransom amount.
Half a year later, in March 2015, Bitmain, a leading bitcoin mining hardware manufacturer, received a similar email threat from DD4BC. In this instance as well, instead of capitulating to the group’s demands, Bitmain took the requested ransom of 10 BTC and added it to Bitalo’s bounty.
Bitalo’s chosen method to strike back at the DDoS extortionists might very well prove effective. As we continue to receive reports about DD4BC activity against our clients, we encourage all companies to follow the example set by Bitmain, when it chose to increase the bounty, in what (we hope) will turn out to be a uniquely interesting crowdfunding campaign.
DD4BC Ransom Email
To introduce ourselves first: [Links to blogs describing the group’s activities]
Or just google ‘DD4BC’ and you will find more info.
Recently, we were DDoS-ing Neteller. So, yes, our attacks are powerful.
So, it’s your turn!
Your sites are going under attack unless you pay 40 Bitcoin.
Pay to [Group’s bitcoin address]
Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don’t even bother.
Right now we are running small demonstrative attack.
Don’t worry, it will stop in 1 hour. It’s just to prove that we are serious.
We are aware that you probably don’t have 40 BTC at the moment, so we are giving you 24 hours to get it and pay us.
Current price of 1 BTC is about 230 USD, so we are cheap, at the moment. But if you ignore us, price will increase.
IMPORTANT: You don’t even have to reply. Just pay 40 BTC to [Group’s bitcoin address] we will know it’s you and you will never hear from us again.
We say it because for big companies it’s usually the problem as they don’t want that there is proof that they cooperated. If you need to contact us, feel free to use some free email service.
Or contact us via Bitmessage: [Group’s account]
But if you ignore us, and don’t pay within 24 hours, long term attack will start, price to stop will go to 100 BTC and will keep increasing for every hour of attack.
IMPORTANT: It’s a one-time payment. Pay and you will not hear from us ever again!
We do bad things, but we keep our word.