WP Armada Collective/Lizard Squad | Responding to DDoS Ransom Note

How to Respond to a DDoS Ransom Note

How to Respond to a DDoS Ransom Note


September 6, 2016

A group claiming to be the Armada Collective just issued a new attack warning, advising how email recipients can stop the attack:

6 – You can stop the attack beginning, if payment 1 bitcoin to bitcoin ADDRESS:  1Pnv9xaEdBFGXzhX6EDo2XAgrDxxdg25WU

April 29, 2016

We added a ransom note from Lizard Squad.

Over the past week, distributed denial of service (DDoS) extortionists have once again threatened many organizations. This criminal group is seeking payment from its targets in exchange for a promise not to attack. According to the Swiss Governmental Computer Emergency Response Team (GovCERT.ch):

A few days ago, MELANI / GovCERT.ch started to receive reports from financial institutions in Switzerland that received a blackmail from a group that pretends to be Armada Collective. MELANI / GovCERT.ch is aware that dozens of financial institutions in Switzerland are targets of similar extortion attempts. We do not know if these extortion emails originate from the Armada Collective or not. It is possible that these originate from a copycat.

We’ve written about DDoS ransom notes in the past and in light of these events believe we should address what you can do if you receive one. Here is some information about ransom requests, and how you should consider responding.

What is a ransom note?

A ransom note is simply an email threat demanding payment in exchange for not attacking the recipient’s website, web application or infrastructure.

Here is one of the ransom notes used in the current intimidation campaign, according to GovCert.ca.

From: Armada Collective
Subject: DDOS ATTACK!!!
Date: Wed, 9 Mar 2016 XX:XX:XX +0000


We are Armada Collective.

All your servers will be DDoS-ed starting Monday (March 14) if you
don’t pay protection – 25 Bitcoins @
If you don’t pay by Monday, attack will start, price to stop will
increase to 50 BTC and will go up 20 BTC for every day of attack.

This is not a joke.
Our attacks are extremely powerful – sometimes over 1 Tbps per second.
So, no cheap protection will help.

Prevent it all with just 25 BTC @ 17j7onEtLgS2pd6qLekKQCteqTrnAFXZVS

Do not reply, we will not read. Pay and we will know its you. AND YOU
Bitcoin is anonymous, nobody will ever know you cooperated

Here’s the latest ransom note from Lizard Squad.

From: LZ Security 


We are the Lizard Squad and we have chosen your website/network as target for our next DDoS attack.

Please perform a google search for “Lizard Squad DDoS” to have a look at some of our previous “work”.

All of your servers will be subject to a DDoS attack starting at Tuesday the 3rd of May.

What does this mean?

This means that your website and other connected services will be unavailable for everyone, during the downtime you will not be able to generate any sales. Please also note that this will severely damage your reputation amongst your users / customers as well as strongly hurt your google rankings (worst case = your website will get de-indexed).

How do I stop this?

We are willing to refrain from attacking your servers for a small fee. The current fee is 5 Bitcoins (BTC). The fee will increase by 5 Bitcoins for each day that has passed without payment.

Please send the bitcoin to the following Bitcoin address:


Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment before Tuesday the 3rd of May or the attack WILL start!

How do I get Bitcoins?

You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM. We suggest you to start withlocalbitcoins.com<http://localbitcoins.com/> or do a google search.

What if I don’t pay?

If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers and make sure your website will remain offline until you pay.

This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we won’t start the attack and you will never hear from us again!

Please note that Bitcoin is anonymous and no one will find out that you have complied.

Note that DDoS ransom notes are not the same as ransomware, which encrypt disc drives and seek payment in return for unlocking them. The criminal motivations are very similar — extracting payment from innocent individuals and organizations in exchange for being freed from an attack or theft.

While different from other types of ransomware, which encrypt disc drives and seek payment in return for unlocking them, the motivation is very similar — extracting payment from innocent individuals and organizations in exchange for being freed from an attack or theft.

Why are attackers seeking ransom?

The answer lies in simple economics. Attackers can very inexpensively garner enough resources to attack websites, and in exchange they attempt to blackmail several organizations at once, figuring that some will pay. This is a form of what we call “DDoS arbitrage,” where it is very inexpensive to purchase resources, use those resources as a threat against a large number of organizations, and then ask for a relatively modest ransom. If only a few organizations pay, the attackers come out ahead.

Attackers are playing on human psychology, figuring that some people are apt to pay to avoid the trouble. Small businesses often have no technical support and have nowhere to turn. DDoS attacks can cost large organizations a lot of money, and lower-level managers in large organizations may be tempted to pay small amounts rather than alert their superiors. In the note above, however, the ransom is 25 or 50 Bitcoins ($10,372.50 or $20,745) — far too large to expense.

Also note that these are threats. It may be the case that attackers don’t even have the resources to bring your network down. You just never know and it’s that uncertainty that they’re preying upon.

Should I pay the ransom?

We do not recommend that your organization pay the ransom. First of all, if you pay the ransom, there is no guarantee that your site will not be attacked. Second, if you pay the ransom you, in fact, make yourself a mark. Organizations that pay once, attackers know, are likely to pay the ransom in the future. Even if you pay today, you may suffer future attacks.

What should I do to prepare myself if I receive a ransom note?

If you are threatened by an organization looking to extort money in the form of ransom, you should make sure that your network is prepared for a DDoS attack. You should note that many times attackers scan for vulnerable networks, and they may have already identified your organization’s network as vulnerable. You should preform security procedures that are typical of what you would do to protect yourself against any kind of DDoS attack.

In an effort to help you, we have prepared a DDoS Response Playbook. It goes through a step-by-step process of what you should do before an attack, if you are attacked, and how to perform a postmortem of an attack.

How should I communicate with my customers and partners?

First and foremost it is important that you have a communication channel with your customers. If in fact your network is attacked, you need other communications mediums, such as Twitter, that are off your network and will be available in the event of an attack. We find that frequent and open communication is key and we recommend you do so. Quite often people are sympathetic to organizations that come under attack.

Getting a ransom note is serious business. Having a response plan in place can help you prevent or ride out the threat or attack. The DDoS Response Playbook will help you pull together the teams and resources you need to protect your organization.

Need additional advice? Please let us know.