Link11 warns: DDoS Extorters Stealth Ravens mean serious Business with Mirai Botnet

  • Katrin Graewe
  • February 1, 2017


Link11 warns: DDoS Extorters Stealth Ravens mean serious Business with Mirai Botnet

Since the end of January a new DDoS extortion group with the alias Stealth Ravens is active in Germany. Their extortion mails received by ecommerce services are accompanied by warning attacks through a Mirai botnet. The Link11 Security Operation Center (LSOC) is warning online shop providers about DDoS attack reaching more than 10 Gbps.

Frankfurt/M., 31.01.2017 – These new perpetrators calling themselves Stealth Ravens show the same extortion methods used by known groups Armada Collective, DD4BC and Kadyrovtsy but are far more aggressive than their predecessors. In the hours after receiving the extortion mail in which they demand 5 Bitcoins the online shop finds itself under a warning attack.

How the Stealth Ravens operate

The LSOC has analyzed various extortion mails and the act of the perpetrators and has summarized the following information on the Stealth Ravens:

Origin: DDoS extortions by Stealth Ravens are only known since around middle of January 2017. How many perpetrators are actually acting behind the scenes and where they come from is still unknown.

Industry: The victims so far are ecommerce businesses of different sizes. Their product offering ranges from entertainment, household electronic devices and sanitation products.

Sender address: These differ from mail to mail. But they are all registered at anonymous email services.

Recipients: The perpetrators send their mails to the businesses via neutral email addresses that can be found easily on the websites of those companies.

Extortion mails: They are written in English, are very short and straightforward. Identical passages are exchanged with individual information and phrasing from victim to victim. Their tests are nevertheless not copied from DD4BC, Armada Collective or other well-known DDoS extorters. Instead of blatant threats, Stealth Ravens do announce a demonstration attack on the precise servers.

Demonstration Attack: Their announced warning attacks are executed as far as the LSOC has researched. They do not waste time to initiate their attack. The attack bandwidths peak at somewhere around 15 Gbps. Apparently the perpetrates have access to a Mirai botnet to execute their attacks.

Bitcoin address: The extorters give every victim an individual Bitcoin address.

Payment deadline: The extorted businesses have averagely 72 hours to pay the ransom and buy themselves out of further DDoS attacks. In case a business refuses to pay the extorters threaten with further attacks and the doubling of the ransom.

Warning on aggressive perpetrators

According to the view of the LSOC these extortion attempts by Stealth Ravens have to be taken very serious. The DDoS protection experts recommend every online shop to activate their protection shields and to inform their hosting provider about the extortions and potential imminent attacks.

Currently the Stealth Ravens are concentrating on the ecommerce industry in Germany. An expansion of their activities to other industries as well as other countries in Europe cannot be ruled out.

When the DDoS extorters do execute their announced follow-up attacks on one of the DDoS protected clients of Link11, the LSOC will defend these immediately by blocking the correspondent attacks. Afterwards the security experts will concentrate on analyzing the attack information.

The Underground Economy: Data and Cyber-Attacks
DDoS Attacks that Hit the Headlines in 2019
This site is registered on as a development site.