Wednesday, November 4, 2015

Teenage script kiddies "Armada Collective" exposes the problems with Privacy, Security, and openness.

So at VFEmail we've received this nice bit of extortion from some script kiddies:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
 autolearn=disabled version=3.3.2
Received: (qmail 28848 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Received: (qmail 28846 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Received: (qmail 28844 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Received: by simscan 1.4.0 ppid: 28791, pid: 28819, t: 1.0843s
         scanners: clamav: 0.95.2/m:51/d:9604
Received: from unknown (HELO (bmE=@
  by with SMTP; 4 Nov 2015 01:02:27 -0000
Received: from ([]
 by with SMTPS(TLSv1_2 DHE-RSA-AES256-GCM-SHA384) (2.4.1); 3 Nov 2015 19:02:25 -0600
dkim-signature: v=1; a=rsa-sha256;; s=mail;
 c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
Received: from (BITMESSAGE [])
 by with ESMTPA
 ; Wed, 4 Nov 2015 02:02:19 +0100
X-Squirrel-FromHash: cV1fVAcLRU8=
Message-ID: <7ca346ad05d1c5851004beb98d913125 .squirrel="""">
Date: Tue, 3 Nov 2015 17:02:19 -0800
Subject: Ransom request: DDOS ATTACK!
From: "Armada Collective" 
User-Agent: SquirrelMail/1.4.22
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Assp-ID: m1-98947-08027
X-Assp-Session: 8C5D5AD8 (mail 1)
X-Assp-Version: 2.4.1(14200) on
X-Assp-Client-TLS: yes
X-Assp-Message-Score: -10 (SSL-TLS-connection-OK)
X-Assp-IP-Score: -10 (SSL-TLS-connection-OK)
X-Assp-Delay: not delayed (auto accepted); 3 Nov 2015 19:02:27 -0600
X-Original-Authentication-Results:; dkim=pass spf=pass
X-Assp-Message-Score: -10 (SPF pass)
X-Assp-IP-Score: -10 (SPF pass)
X-Assp-Message-Score: 10 (Foreign Country CH (GREEN.CH AG))
X-Assp-Message-Score: 20 (Regex:BombRe 'PB 20: for cheap'  bombRe: 'cheap')
X-Assp-IP-Score: 20 (Regex:BombRe 'PB 20: for cheap'  bombRe: 'cheap')
X-Assp-Spam-Level: ***
X-Assp-DKIM: verified-OK

We are Armada Collective.

All your servers will be DDoS-ed starting Friday if you don't pay 5
Bitcoins @ 1C71QxTfzVVBJnkRg2cJpFXLALwDkfvNTz within 24 hours

When we say all, we mean all - users will not be able to access their
email at all.

Right now we will start 15 minutes attack on one of your IPs
( It will not be hard, we will not crash it at the moment
to try to minimize eventual damage, which we want to avoid at this moment.
It's just to prove that this is not a hoax. Check your logs!

If you don't pay by Friday , attack will start, price to stop will
increase to 410 BTC and will go up 5 BTC for every day of attack.
In addition, we will go publicly on social networks and recommend your
users to switch to more secure providers like Tutanota and ProtonMail.

If you report this to media and try to get some free publicity by using
our name, instead of paying, attack will start permanently and will last
for a long time.

This is not a joke.

Our attacks are extremely powerful - sometimes over 1 Tbps per second. So,
no cheap protection will help.

Prevent it all with just 5 BTC @ 1C71QxTfzVVBJnkRg2cJpFXLALwDkfvNTz

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL

Bitcoin is anonymous, nobody will ever know you cooperated.

So if you can't reach VFEmail - this is why.  Who are this little daisies?  It makes you wonder.  They tried to extort banks in Taiwan last month.  

Are they out for themselves, or working for Tutanota (who?) or Protonmail (I can't connect, maybe they're being DOSd)?   Why would they think we'd believe that they're honest enough to only perform illegal acts once or twice?  These can't be adults - maybe Nigeran scammers?  Though Tor and Bitmessage are a bit more advanced than the Nigerian scammers I've had to shut off.

Unfortunately this is the cost of privacy and security.  This is why the EU wants to ban 'strong encryption'.  Is your Gmail Calendar still down?  Who's running the botnet that is hampering your workday?
How do we infiltrate, and where do we begin?

Are you prepared to accept these costs?  The costs of downtime?  The costs of being 'disconnected'?
Personally,  I don't mind - I can live without this stuff for days.  But I've accepted responsibility for ensuring my users can get their mail - and frankly this is just out of my hands.

Much like main street, the Internet Tubes are filled with small businesses.  We can make laws in one country to help secure end-user systems (which are the likely source), but that doesn't cover other countries.  Non-first world countries where they are lucky to be online.

Who can see this bandwidth? Who can stop this?  I once had an argument with a nice German fellow - they have very strict privacy laws - about what the ISP can block.  You can't block anything in the EU.  In the US we're fighting for open access, and for good reason - but we still have to be responsible netizens. I think the ISP should have the flexibility to block potentially harmful traffic - whether it be email spam, fraud, or denial of service attacks.

This is the threat to the internet as we know it.  These DDOS extortionists.  Not only do they threaten the existence of your favorite online service, they threaten the Internet as a whole.  End users will want access.  Business will want reparations.  How can these guys be caught? Weak Encryption laws like those recently suggested in the EU.  Bandwidth throttling.  ISP service proxying and filtering.  We REALLY don't want these, but unless the black and grey hats put a stop to the worst offenders, we'll all suffer.

Any thoughts?  I'd love to hear them.  What's really bad is that they're not just affecting VFEmail and our silly little 10Mb line - I'm a local guy who supports a local ISP, not some global conglomerate buying from a Tier 1 provider with thousands of peers.  So when they attack, they're affecting a LOT of customers. Here's to hoping the Milwaukee FBI is a customer.