54BD 783A 27D2 85C1 C46D 5A02 3651 ADE3 E402 9FC2

One of our institutions received the following threatening email. Research attributed no attacks (only threats) to this group. The SANReN CSIRT assisted by providing a quick vulnerability assessment and advised patching one public facing system with a significant vulnerability. No further actions/incidents were reported.

Subject: “EXS” Armada-Collective Invoice “EXS”

We are a HACKER TEAM – Armada Collective

1 – We have checked your information security systems, setup is poor; the systems are very vulnerable and obsolete.
2 – We’ll begin attack on Tuesday 06-09-2016 8:00 p.m.!!!!!
3 – We’ll execute some targeted attacks and check your DDoS servers by the 10-300 Gbps attack power
4 – We’ll run a security breach test of your servers through the determined vulnerability, and we’ll gain the access to your databases.
5 – All the computers on your network will be attacked  for Cerber – Crypto-Ransomware
6 – You can stop the attack beginning, if payment 1 bitcoin to bitcoin ADDRESS:  ####removed####
7 – If you do not pay before the attack 1 bitcoin, the price will increase to 20 bitcoins
8 – You have time to decide! Transfer 1 bitcoin to ADDRESS: ####removed####

These kinds of emails are reportedly attempts to extort money from targeted institutions by coercion. Authoritative news articles indicate that these threats from “Armada Collective” are not carried out irrespective of whether the money is paid or not1 2. They can take various forms but follow a similar pattern3. (Note though that there was previously group called “DD4BC” which did carry out their threats but on a smaller scale. The Armada Collective may be a copycat group banking on DD4BC’s reputation.)


  1. Do not pay.
  2. Follow the advice on mitigating DDoS attacks as a precaution.
  3. Please forward the email to our team for further analysis and advice.
  4. Contact us for a vulnerability assessment.


1Cloudfare: Empty DDoS Threats: Meet the Armada Collective

2Recorded Future: DD4BC, Armada Collective, and the Rise of Cyber Extortion

3GovCERT.ch: Armada Collective blackmails Swiss Hosting Providers