According to the 'Distributed Denial of Service Trends Report - 2nd Quarter 2015' published by VeriSign today, between the period April 1 to June 30 there was increased activity from the DDoS For Bitcoin (DD4BC) attack group. This came not only in the form of ransom threats – the ransom being demanded in Bitcoin hence the name – but also in those threats not being paid off turning into actual attacks. Most DD4BC attacks have traditionally been, and largely remain, within the one to five Gbps size range.
The report says that the second most targeted industry sector for all DDoS attacks was finance and payments which made up some 22 percent of those mitigated by VeriSign, and this was largely driven by the DD4BC attack group.
The VeriSign conclusions appear to tie in with those from other recent Internet threat reports such as Akamai's 'State of the Internet - Q2 2015' which concurs that many DDoS attacks were fuelled by actors such as DD4BC and those copying their ransom tactics and attack methodologies.
Akamai reckons that the group "expanded its extortion and DDoS campaigns during April and May" and it has found itself protecting "a growing number of customers" from DD4BC attacks as a result.
Akamai says that several customers have received ransom demands threatening DDoS attacks of between 400-500 Gbps if the money was not paid, although it hadn't seen anything larger than 50 Gbps in reality up until the time the report was published.
It would seem that DD4BC do not have quite the resources to pull off the size of attack that it threatens, considering that VeriSign has also not seen anything approaching three figures as of yet from it, so is DD4BC actually just a bunch of (albeit fairly successful) chancers?
VeriSign reckons the attack group is comprised of a relatively small number of people, likely to be fewer than five according to VeriSign iDefense research. That hasn't stopped it from attacking targets around the world and across industry sectors including banking, exchanges (Bitcoin specifically) and gaming.
The threats seem to follow the same general form: they start with an extortion demand threatening a DDoS attack if a one-off Bitcoin payment isn't made. If the initial threat is ignore, then an increased ransom demand is made before a small demonstration DDoS attack is launched in order to 'prove our claims'. If no ransom is still forthcoming then larger, 10-30 Gbps-size attacks are launched with again increased demands for payment.
Here's an actual example of an extortion email sent by the DD4BC group:
To introduce ourselves first:
Or just google “DD4BC” and you will find more info. So, it's your turn! All your servers are going under DDoS attack unless you pay 40 Bitcoin. Pay to xxxxxxxxxxxxxx
Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps. Right now we are running small demonstrative attack on one of your IPs: X.X.X.X Don't worry, it will not be hard and will stop in 1 hour. It's just to prove that we are serious.
We are aware that you probably don't have 40 BTC at the moment, so we are giving you 24 hours to get it and pay us.
Find the best exchanger for you on howtobuybitcoins.info or localbitcoins.com You can pay directly through exchanger to our BTC address, you don't even need to have BTC wallet.
Current price of 1 BTC is about 230 USD, so we are cheap, at the moment. But if you ignore us, price will increase."