Subscribe to receive notifications of new posts:

Lizard Squad Ransom Threats: New Name, Same Faux Armada Collective M.O.

2016-04-29

2 min read
Lizard squad

CloudFlare recently wrote about the group of cyber criminals claiming to be be the "Armada Collective." In that article, we stressed that this group had not followed through on any of the ransom threats they had made. Quite simply, this copycat group of cyber criminals had not actually carried out a single DDoS attack—they were only trying to make easy money through fear by using the name of the original “Armada Collective” group from late 2015.

Since we published that article earlier this week, this copycat group claiming to be "Armada Collective" has stopped sending ransom threats to website owners. Extorting companies proves to be challenging when the group’s email actively encourages target companies to the search for the phrase “Armada Collective” on Google. The first search result for this phrase now returns CloudFlare’s article outing this group as a fraud.

Armada Collective Google Search Results

Beginning late Thursday evening (Pacific Standard Time) several CloudFlare customers began to receive threatening emails from a "new" group calling itself the “Lizard Squad”. These emails have a similar modus operandi to the previous ransom emails. This group was threatening DDoS attacks unless a ransom amount was paid to a Bitcoin address before a deadline. Based on discussions with other security vendors, we can confirm that at least 500 of these emails have been sent out by this group claiming to be the “Lizard Squad.”

Each of these emails is exactly identical, including a Bitcoin address that has been re-used. As we discussed in our previous article, re-using the Bitcoin address means the group of cyber criminals has no way of identify which company has paid their ransom. If this group was legitimate, you’d expect to see a unique Bitcoin address for each individual target company.

Included below is an example email from the "Lizard Squad" compared to the Armada Collective:

Lizard squad ransom email

While the emails have some differences, they are ultimately identical in their goal and how they go about attempting to extort money from the target companies. Similar to the group claiming to be the "Armada Collective", there is a general consensus within the security community that this group claiming to be the "Lizard Squad" is not in fact actually the group they claim to be. This is another copycat.

Unsurprisingly, we haven’t seen any example of the "Lizard Squad" actually following through on their threats. CloudFlare will continue to monitor the situation, and we’ll provide an update if any further changes develop.

CloudFlare would like to continue to stress the importance of not paying ransom if you receive a threat. Paying the ransom only emboldens these cyber criminals and provides them with funding to attack other companies. If you receive a threat please reach out to CloudFlare, and our team would be happy to discuss whether an attacker is known to carry through on their threats. While the threats made by these imposter groups are unlikely to result in an actual attack, we do encourage companies to use a service like CloudFlare to proactively protect their infrastructure against these types of attacks when there is a legitimate threat.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
DDoSAttacksReliabilityeCommerceSecurity

Follow on X

Cloudflare|@cloudflare

Related posts

November 20, 2024 10:00 PM

Bigger and badder: how DDoS attack sizes have evolved over the last decade

If we plot the metrics associated with large DDoS attacks observed in the last 10 years, does it show a straight, steady increase in an exponential curve that keeps becoming steeper, or is it closer to a linear growth? Our analysis found the growth is not linear but rather is exponential, with the slope varying depending on the metric (rps, pps or bps). ...

November 06, 2024 8:00 AM

Exploring Internet traffic shifts and cyber attacks during the 2024 US election

Election Day 2024 in the US saw a surge in cyber activity. Cloudflare blocked several DDoS attacks on political and election sites, ensuring no impact. In this post, we analyze these attacks, as well Internet traffic increases across the US and other key trends....