DDoS attackers pose as REvil, sparking fear the gang is back


Attackers claim they represent the infamous REvil ransomware gang, considered defunct for months.

A recent distributed denial-of-service (DDoS) attack against a hospitality firm displayed a familiar message, as the attackers named themselves REvil.

A report by Akamai, a cloud networking provider, says that the company's client was targeted with a DDoS attack. Interestingly, in the note demanding payment, the attackers identified themselves as the REvil group.

ADVERTISEMENT

Researchers at Akamai have been monitoring the DDoS attack since a customer alerted the company's Security Incident Response Team (SIRT) on May 12.

"The attacks so far target a site by sending a wave of HTTP/2 GET requests with some cache-busting techniques to overwhelm the website. The requests contain embedded demands for payment, a bitcoin (BTC) wallet, and business/political demands," reads the report.

Alongside monetary demands, the attackers also requested the targeted company to cease business operations across an entire country and said the attack would persist as long as monetary and political demands were met.

Political demands have not been a distinct feature of REvil. However, some experts believe that political affiliations have played a part in ransomware attacks on the West's critical infrastructure.

However, according to Akamai's report, it's not entirely clear if the attackers posing as REvil are the real thing. For one, the number of the bitcoin wallet attackers use has no apparent link with the original REvil group.

It's possible that cybercriminals adopted the age-tested tactic of intimidation. Posing as a notorious criminal gang member might motivate a victim to pay the extortion money more rapidly.

The death throes of REvil

ADVERTISEMENT

The notorious REvil ransomware gang is best known for extortion attacks against meat supplier JBS and software company Kaseya. Both attacks sent shockwaves through the infosec community and posed questions about the safety of critical infrastructure.

However, in January, the Russian domestic intelligence service, the FSB, detained 14 people and seized 426 million roubles, $600,000, 500,000 euros, computer equipment, 20 luxury cars, and other assets. At the time, many speculated this might be the final nail in REvil's coffin.

Cybersecurity researchers noted that traces of the group coming do appear in some attacks. However, experts have no clear answer whether the original REvil is back. Even if REvil is not back, it's not uncommon for cybercriminals to rebrand or completely change their modus operandi.