informa
4 min read
article

DDoS Extortion Attack Flagged as Possible REvil Resurgence

A DDoS campaign observed by Akamai from actors claiming to be REvil would represent a major pivot in tactics for the gang.

Concern has been raised that a coordinated distributed denial-of-service (DDoS) attack from a malicious actor could be associated with the notorious ransomware-as-a-service (RaaS) group REvil.

According to a report from Akamai’s Security Intelligence Response Team (SIRT), the attack was aimed at one of Akamai’s hospitality customers. It consisted of a simple HTTP GET request, with a message demanding payment to a Bitcoin (BTC) wallet in exchange for stopping the attack. It also included an additional request for the company to stop operating in a specific country.

Given the request to stop operating in the geospecific location appeared to stem from a recent Supreme Court decision in that country, the attack took on a political flavor that Akamai analysts say would be a break with REvil’s earlier strategies.

“We haven’t seen them linked to hacktivism or political goals in any of the previously reported attacks,” according to Akamai.

On the technical front, the use of proxying capabilities and “fairly well” distributed IPs participating in the attack indicated that some level of coordination was required between the attacker and the proxying system, the Wednesday report notes.

And, due to the extensive use of MikroTik devices identified in the attacking sources, the report suggests the attack could be supported by the MikroTik-based Meris botnet, which also has links to REvil. That said, the low volume of requests per second (Rps) and relatively unsophisticated nature of the campaign are atypical of Meris attacks, the report notes.

REvil Redux?

Since being reportedly dismantled by the Russian government earlier this year, there have been hints that REvil – or at least some previous members of the gang – is putting itself back together.

In April, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

Then in March, security firm Imperva reported mitigating a ransom DDoS attack tied to the Meris botnet measuring 2.5 million requests per second (Mrps). It included a series of ransom notes received by the customer that also claimed it came from REvil.

While DDoS has been used in the past by some groups as an extra layer of pressure on ransomware victims to pay up, in both the March incident and this latest case, the attack is pure-play DDoS.

"We haven't seen ransomware linked to these campaigns. The only tie to ransomware is the naming of REvil in the extortion demands," says SIRT engineer Chad Seaman.

But as to whether this latest incident means that REvil is truly back and testing out new techniques, Seaman is skeptical.

"I don't feel there are strong indicators here that this is indeed a resurgence of REvil,” he says. “Even in the prior reported campaigns, I don't believe there are strong indicators that positively attribute those attacks to REvil in reality."

For instance, the alert also pointed out that the BTC wallet does not have any previous connection to REvil. And the gang has maintained in the past that it is purely profit driven, after all.

Seaman says the threat is more likely to stem from a copycat group looking to leverage REvil’s notoriety.

DDoS Extortion: A New Avenue for Fear

He added that be it REvil or someone leveraging the name or reputation, the attack is clearly a play on fear in the hopes of easy money, so the most concerning takeaway from Akamai’s investigation is the fear and panic associated with the threat.

“This is the goal of these types of attacks: to scare the victim into paying, lending credibility to the threat using a scary name,” he explained. “When these campaigns spin up and start to get press, it's typically followed by a surge of copycats.”

From Seaman’s perspective, the publishing of reports like these requires a delicate balance of notifying the public of the threat without the threat turning into a wildfire of copycats.

“We're hoping to help raise awareness while ramping down the associated fear because if we don't get out in front of these types of campaigns and fear-based reporting outpaces sane analysis, it only serves to fuel the fire, not fight it,” he said.