RDoS campaign underway in the United States


This blog discusses active research from Radware’s ERT research team regarding a DDoS for Ransom campaign.

This is a preliminary report and will be updated accordingly.

Since the ProtonMail attack in 2015, Radware’s ERT has been tracking and mitigating DDoS for Ransom campaigns, RDoS, from groups like the Armada Collective. An RDoS campaign is a distributed denial of service (DDoS) attack motivated by monetary gain. Attackers typically start with an email or a post threatening to launch an attack at a certain day and time unless a ransom in Bitcoin is paid. In some cases, attackers will launch a mini-attack or sample attack on the victim’s network as evidence that the threat is real.

RDoS campaigns can be financially rewarding to a cyber-criminal who enjoys making large amounts of money for little to no investment. Because of this, many hacking groups now imitate this modus operandi and spam similar ransom threats using other group names, with no intention of launching an attack. In 2016 many opportunists emerged using infamous names like the Armada Collective, Anonymous and Lizard Squad to spread fear and gain credibility for their threats. This year we have even seen groups pretending to be Fancy Bear/APT28.

[You might also like: As Cyber Security Programs Lose Their Moorings to Ransom-DoS: Radware Introduces the Ultimate Guide to Cyber Ransom]

Over the last several weeks Radware has witnessed an increase in RDoS campaigns in the Asian Pacific. Two groups emerged mid-June using the names Anonymous and the Armada Collective in an attempt to ransom dozens of financial institutions in China and South Korea.  The group claiming to be the Armada Collective was requesting $315,000 USD under threat of a network-crippling DDoS attack. In South Korea, a number of organizations that received the ransom email also experienced sample SYN and NTP floods ranging between 5-20Gbps. In this campaign, the attackers did not follow through with their original threat even though sample attacks were launched.

Currently Radware’s ERT team is tracking a similar campaign in the United States. Several large financial institutions in the U.S. have received email threats this week from a group claiming to be Anonymous. This group is requesting 100 bitcoins to be paid within seven days under the threat of being attacked by an IoT botnet. Radware’s ERT Research division can say with high confidence that this is likely the same group that was behind the string of attacks in the Asian Pacific.  At the moment, no sample attacks have been recorded but a number of victims have received letters similar to those sent out in China and South Korea.

Figure 1: Ransom letter sent to financial institutions in the United States

Companies should be advised not to pay an extortionist and to seek professional assistance for mitigating RDoS attacks.

We will update this blog as more information becomes available.


Download the “Cyber Ransom Survival Guide: The Growing Threat of Ransomware and RDoS – and What to Do About It” to learn more.

Download Now

Previous articleThe Service Side of Denial of Service
Next articleAd Title: Heavy Reading White Paper
Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.


Please enter your comment!
Please enter your name here