CloudFlare recently wrote about the group of cyber criminals claiming to be be the "Armada Collective." In that article, we stressed that this group had not followed through on any of the ransom threats they had made. Quite simply, this copycat group of cyber criminals had not actually carried out a single DDoS attack—they were only trying to make easy money through fear by using the name of the original “Armada Collective” group from late 2015.
Since we published that article earlier this week, this copycat group claiming to be "Armada Collective" has stopped sending ransom threats to website owners. Extorting companies proves to be challenging when the group’s email actively encourages target companies to the search for the phrase “Armada Collective” on Google. The first search result for this phrase now returns CloudFlare’s article outing this group as a fraud.
Beginning late Thursday evening (Pacific Standard Time) several CloudFlare customers began to receive threatening emails from a "new" group calling itself the “Lizard Squad”. These emails have a similar modus operandi to the previous ransom emails. This group was threatening DDoS attacks unless a ransom amount was paid to a Bitcoin address before a deadline. Based on discussions with other security vendors, we can confirm that at least 500 of these emails have been sent out by this group claiming to be the “Lizard Squad.”
Each of these emails is exactly identical, including a Bitcoin address that has been re-used. As we discussed in our previous article, re-using the Bitcoin address means the group of cyber criminals has no way of identify which company has paid their ransom. If this group was legitimate, you’d expect to see a unique Bitcoin address for each individual target company.
Included below is an example email from the "Lizard Squad" compared to the Armada Collective:
While the emails have some differences, they are ultimately identical in their goal and how they go about attempting to extort money from the target companies. Similar to the group claiming to be the "Armada Collective", there is a general consensus within the security community that this group claiming to be the "Lizard Squad" is not in fact actually the group they claim to be. This is another copycat.
Unsurprisingly, we haven’t seen any example of the "Lizard Squad" actually following through on their threats. CloudFlare will continue to monitor the situation, and we’ll provide an update if any further changes develop.
CloudFlare would like to continue to stress the importance of not paying ransom if you receive a threat. Paying the ransom only emboldens these cyber criminals and provides them with funding to attack other companies. If you receive a threat please reach out to CloudFlare, and our team would be happy to discuss whether an attacker is known to carry through on their threats. While the threats made by these imposter groups are unlikely to result in an actual attack, we do encourage companies to use a service like CloudFlare to proactively protect their infrastructure against these types of attacks when there is a legitimate threat.