Cybergang Claims REvil is Back, Executes DDoS Attacks

The defunct REvil ransomware gang is declaring accountability for a current dispersed denial of provider (DDoS) campaign against a hospitality client of cloud networking provider Akamai. Even so, it’s highly doable the attack is not a resurgence of the notorious cybercriminal group but a copycat functions, researchers mentioned.

Akamai researchers have been checking the DDoS attack given that May perhaps 12, when a customer an alerted the company’s Security Incident Reaction Staff (SIRT) of an attempted attack by a group proclaiming to be involved with REvil, Akamai revealed in a web site submit Wednesday.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

“The attacks so far focus on a site by sending a wave of HTTP/2 GET requests with some cache-busting tactics to overwhelm the website,” Akamai SIRT vulnerability researcher Larry Cashdollar wrote in the submit. “The requests contain embedded demands for payment, a bitcoin (BTC) wallet, and enterprise/political requires.”

Even so, even though the attackers declare to be REvil, it’s unclear at this time if the defunct ransomware team is responsible, as the makes an attempt look more compact than earlier related strategies for which the group claimed accountability, scientists stated.

There also appears to be a political motivation guiding the DDoS campaign, which is inconsistent with REvil’s past methods, in which the team claimed it was enthusiastic entirely by financial acquire.

Return of REvil?

REvil, which went dark in July 2021, was a Russia-primarily based ransomware-as-a-provider (RaaS) team very well-acknowledged for its high-profile attacks against Kaseya, JBS Meals and Apple Personal computer, among other folks. The disruptive mother nature of its attacks spurred worldwide authorities to go hard towards the group, with Europol arresting a quantity of the gang’s affiliate marketers in November 2021.

Finally, in March 2022, Russia—which until eventually then had finished minor to thwart REvil’s operation–claimed responsibility for entirely dismantling the group at the ask for of the U.S. authorities, apprehending its unique associates. 1 of people arrested at the time was instrumental in serving to ransomware group DarkSide in a crippling attack in May well 2021 versus Colonial Pipeline, which resulted in the corporation paying out $5 million in ransom.

The new DDoS attack—which would be a pivot for REvil—was comprised of a uncomplicated HTTP GET request in which the request path contained a message to the concentrate on containing a 554-byte concept demanding payment, scientists claimed. Traffic in the attack on Layer 7 of the network—the human-computer system conversation layer in which apps access network services–peaked at 15 kRps.

The sufferer was directed to mail the BTC payment to a wallet handle that “currently has no background and is not tied to any previously recognized BTC,” Cashdollar wrote.

The attack also had an extra geospecific demand that requested the specific firm to cease small business operations across an complete region, he said. Specially, attackers threatened to launch to adhere to-up attack that would have an affect on world organization functions if this desire was not met and the ransom was not paid out in a precise timeframe.

Prospective Copycat Attack

There is a precedent for REvil utilizing DDoS in its pervious methods as a usually means of triple extortion. Nonetheless, aside from that, the attack does not surface to be the perform of the ransomware team except if it is the start out of an completely new procedure, Cashdollar famous.

REvil’s common modus operandi was to acquire access to a focus on network or business and encrypt or steal delicate knowledge, demanding payment to decrypt or avert facts leakage to the maximum bidders or threatening community disclosure of delicate or harming information and facts, he explained.

The approach found in the DDoS attack “strays from their ordinary ways,” Cashdollar wrote. “The REvil gang is a RaaS company, and there is no existence of ransomware in this incident,” he wrote.

The political drive tied to the attack—which is linked to a authorized ruling about the focused company’s enterprise model–also goes in opposition to a assert REvil’s leaders have designed in the earlier that they are purely financial gain-pushed. “We haven’t found REvil linked to political strategies in any other formerly noted attacks,” Cashdollar noticed.

Even so, it is feasible that REvil is seeking a resurgence by dipping its toe in a new organization design of DDoS extortion, he explained. What’s extra likely is that attackers in the campaign are basically working with the title of a notorious cybercriminal team to frighten the targeted corporation into assembly their needs, Cashdollar claimed.

“What improved way to scare your victim into payment than leveraging the name of a notable group that strikes dread into the hearts of organizations’ executives and security teams throughout large swaths of sector,” he wrote.