Notes that were threatening to tank targeted companies’ stock price were embedded into DDoS ransomware attacks as a string_of_text in the URL.
Hey ‘webop_geeks, you_are_already_dead’, was a note claiming to be left by the REvil ransomware gang, it was embedded into the attack itself as a string of text in the URL for the extortion demand. Researchers reported the interesting twist on Friday – one of several it has seen in the evolution of distributed denial-of-service (DDoS) attacks so far this year.
In a post that detailed mitigation of a recent attack that hit up to 2.5 Mrps (millions of requests per second) on a single website, researchers shared several ransom notes that its targeted customer received before the attack started.
“We are observing more cases like this where the ransom note has been included as part of the attack itself, perhaps as a reminder to the target to send their bitcoin payment,” Klepfish wrote. “Of course, once the target receives this note, the attack is already underway, adding a sense of urgency to the threat.”
This was only one of several threatening ransom notes the target received before the 2.5 Mrps DDoS attack began, and the specific message shown was one of more than 12 million embedded requests that targeted random pages on the same site. Researchers noted: “While ransom DDoS attacks are not new, they appear to be evolving and becoming more interesting with time and each new phase.”
Another threatening message told “webops_geeks” to inform their bosses that they’d need to start coughing up 1 Bitcoin a day – worth around £30,000 – if they wanted to stay online. It, and other embedded messages, were signed “revil_this_is_our_dominion.”
Whether or not the attacks have anything to do with the REvil ransomware-as-a-service (RaaS) gang or are coming from an imposter is anybody’s guess. Russia dismantled REvil in January, with its Federal Security Service (FSB) claiming to have raided gang hideouts; seized currency, cars and personnel; and neutralised REvil’s infrastructure. As these things go, cyber criminal gangs even when broken up, usually end up reforming elsewhere.
REvil does have a history of DDoS ransomware, though. In October 2021, a British voice-over-IP (VoIP) firm – Voice Unlimited – was still recuperating a month after a series of apparent sustained DDoS attacks that were attributed to REvil.
The next day, attackers sent over 15 million requests to the same site, this time with a new message that warned the CEO that the attackers would eviscerate the company’s stock price by “hundreds_of_millions_in_market_cap.”
The attacks kept coming for several days, lasting up to several hours and, in 20% of cases, hitting between 90-750 thousand requests per second (Krps). Evidence points to the DDoS attacks coming from the massive Meris botnet. Meris sucks its power out of the thousands of internet-of-things (IoT) devices that have been hijacked thanks to a years-old vulnerability, tracked as CVE-2018-14847, in MicroTik routers.
“Although CVE-2018-14847 was published a while ago, attackers can still take advantage of it,” researchers added.
The Meris botnet was behind the record-breaking DDoS attack that targeted Russia’s search engine of choice – Yandex – in September 2021. Other targets for Meris in 2021 included: cybersecurity media sites Krebs on Security and Infosecurity, as well as New Zealand banks, its post mail service and the country’s MetService weather service.
They’re all cases in point for the fact that DDoS attacks shattered records in Q3. While the largest attack to hit this particular customer reached 2.5 Mrps, the researchers blocked over 64 million requests in under one minute. The attacks took only seconds to mitigate, given that the sources, which impersonated legitimate browsers or a Google bot, were known to be malicious.
Threat actors focused on business sales and communications sites, that had the commonality of being exchange-listed. Researchers again noted that this was a specific tactic: “The threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the stock price of the company.”
Now is the time to prepare for organisations to prepare for an attack, particularly given the threat actors’ promise – be they REvil or REvil wannabes – to continue to hurt businesses.