A coordinated DDoS or distributed denial-of-service attack had been recently detected, which experts attribute to the notorious ransomware gang dubbed REvil.
Based on an intelligence team’s report, the recently detected DDoS attack had targeted Akamai Technologies’ customers, involving an HTTP GET request that demanded the victims a BTC payment for them to stop launching attacks. Aside from the monetary request, the unidentified threat group also required the firm to stop their operations in a geo-specific location.
The request to discontinue an operation in a specific country intrigued the researchers, thus making them presume that the request came from a recent court decision that could disrupt REvil’s strategies back when they were still active.
Moreover, the use of the MikroTik proxy in these recently detected attacks through well-distributed IP addresses indicated levels of coordination happening in the background between the main threat actor and the proxying system. Adding also to the experts’ assumption of the attack being linked to REvil is the extensive use of MikroTik network equipment that supports the Meris botnet widely used by the notorious gang in their activities.
The Russian government had struck down the REvil ransomware gang earlier this year. However, several hints were found, leading to a theory that the group is slowly reemerging.
Security experts noticed one hint when an anti-malware firm had detected and blocked a ransomware sample last April that only REvil had access to. Additionally, a different security firm found out that REvil’s leak site had been redirecting to a new host and claimed to have compromised organisations in India.
Another DDoS attack was also discovered in March, which used the Meris botnet, with victims claiming that the ransom notes left by the attackers were from the REvil ransomware gang.
Nonetheless, security researchers still cannot conclude that REvil is behind all these recently performed attacks, considering that some groups could also be doing them to put pressure on victims to pay the ransom requests.
Even if these attacks could only be from other copycat threat groups of REvil, security experts are still warning firms and organisations to be wary of potential threats and implement strong measures to safeguard them from being victimised.