Currently, the cybercriminal group DD4BC (DDoS for Bitcoins) is blackmailing companies in Germany and Austria and also attacking them.Large companies in the financial sector as well as SaaS and hosting companies receive blackmail emails from anonymous mail services such as openmailbox.org and tutanote.com, in which up to 50 bitcoins (approx. 11,500 euros) are demanded within 24 hours, depending on the industry. If the payment is not made, DD4BC threatens with ongoing DDoS attacks with a volume of 400 to 500 Gbps. In addition, the demand for protection money increases to 100 Bitcoins and continues to rise at hourly intervals.
Serious DDoS threat situation
DD4BC directly supports the seriousness of its demands in the blackmail with a first DDoS attack and thus demonstrates its own cybercrime capabilities. The attack overloads the systems of companies without DDoS protection in most cases and brings web-based services and processes as well as company networks to a complete standstill. If the required Bitcoin payment is not made, the blackmailers launch the announced attack with peaks of up to 50 Gbps.
Countries in which DD4BC was already active
Jens-Philipp Jung, Managing Director of Link11 GmbH: “The number of companies put under pressure by DD4BC is alarming. Due to the unannounced first DDoS attack and the increased number of incidents in the DACH region, the danger for unprotected companies in Germany is currently very high. It was only at the beginning of May that we had to warn German e-commerce shops of the biggest blackmail wave to date. In the current incidents, money claims are directed against the financial sector and providers of online services. Every company that receives a blackmailer e-mail from DD4BC should take it seriously. Even a warning attack can hit a company network hard.”
Technical details on DD4BC’s DDoS attacks
The Link11 Security Operation Center (LSOC for short) has fended off numerous DD4BC attacks since the beginning of the blackmail wave at the end of June 215, analyzed the course of action as well as the threat and identified recurring attack patterns: At the beginning there is a UDP flood to the web servers, followed in most cases by a TCP SYN flood. In total, the attack usually lasts about an hour and reaches peak bandwidths close to 100 Gbps.
The “Link11 security analysis DDoS blackmail by DD4BC” summarizes the detailed findings at https://www.ddos-info.de/2015/link11-warnt-vor-dd4bc-ddos-erpressung-in-deutschland.html .
DD4BC are repeat offenders
DD4BC has long been known among DDoS protection experts. Since the end of 2014, the cybercrime group has repeatedly used DDoS attacks against companies to gain access to Bitcoins. They proceed country by country: USA, New Zealand, Australia, Great Britain. DD4BC was still very active in Switzerland and Great Britain in May, but attacked companies in Scandinavia just a few weeks later. Neither the anonymous e-mail addresses nor the Bitcoin accounts can be traced back.