#1104766: Heads Up - Stealth Ravens Bitcoin-blackmailer uses Mirai Botnet

BRI comment: Translated from German
Description: Under the name of Stealth Ravens, a new DDoS blackmailer has been active
in Germany since the middle of last week. Your blackmail e-mails to
e-commerce providers are accompanied by warnings by a Mirai botnet. The
Link11 Security Operation Center (LSOC) therefore warns all online stores
of DDoS attacks that can reach more than 10 Gbps.

Stealth Ravens is currently concentrating on the e-commerce sector in
Germany. An expansion to other economic areas or the neighboring countries
of Austria and Switzerland can not be ruled out. also reports from Mexico
have been coming in over the last hours.

The new perpetrators with the alias Stealth Raven orient themselves in
their approach to proven DDoS extortion methods, but show themselves more
aggressively than many of their predecessors. On the extortion book, in
which they demand 5 Bitcoins, follows after a few hours a warning bag on a
server of the registered online shop.

The approach of Stealth Ravens

LSOC has analyzed several extortions and the actions of the perpetrators
during the demo attacks and collected the following information about
Stealth Ravens:

Origin: DDoS extortions by Stealth Ravens have only been known since
mid-January 2016. How many perpetrators are and from which countries they
originate is currently still unclear.

Sender Addresses: These are different, but they are all registered with
anonymous e-mail services.

Recipient addresses: The perpetrators write the companies via general
e-mail addresses, which can easily be searched in the imprint of the
victim websites.

Extortion: They are written in English, kept short and come straight to
the point. Identical passages alternate with individual information and
formulations for each blackmail victim. The texts are not copied by DD4BC,
Armada Collective or other known DDoS extortioners. Instead of general
threats, Stealth Ravens announce a demo attack on a concrete corporate

Demo attack: The perpetrators of the LSOC system consistently implement
their announced warning attacks. Between the announcement and the
beginning of the attack, only a short time passes. The attack bandwidths
reach up to 15 Gbps. The perpetrators allegedly use a Mirai botnet to
carry out the attacks.

Bitcoin address: The DDoS blackmailers assign a specific bitcoin address
to each company.

Payment term: The extorted companies have until the 1st and 2nd February
time with Bitcoins from further DDoS attacks to buy. In the event that an
entrepreneur refuses to pay, a new attack and a double the amount of the
loan is threatened.

According to the LSOC, the blackmail attempts of Stealth Ravens are to be
taken seriously. The DDoS security experts recommend that every online
shop activate existing protection systems and inform the hosting provider
about the extortion.
More info: https://www.btc-echo.de/bitcoin-erpresser-von-stealth-ravens-machen-mit-mirai-botnetz-ernst/

Date added Feb. 4, 2017, 8:33 a.m.
Source BTC-Echo
  • Mirai / Darkai / Linux.Gafgyt Malware / Wicked (Affects Netgear routers, CCTV-DVR devices.)
  • News Austria
  • Ransomware - Extortion etc. New Reports in
  • Stealth Ravens