Posted on May 31, 2022 at 2:44 AM

Threat Actors Execute DDoS Attack, Claim To Be From REvil Group

The defunct REvil ransomware group has claimed to be responsible for recent distributed denial of service (DDoS) attacks against some network providers, including cloud networking platform Akamai. According to reports, the defunct ransomware group is landing the campaign with a layer 7 attack.

Although the group has claimed responsibility, there is no evidence that the attack was from them, and the perpetrators may be different actors. Cybersecurity researchers noted that the attack could be the work of a copycat operation, and not exactly from the REvil group who are believed to have been dissolved.

Akamai researchers have been examining the DDoS attack since May 12, after one of the firm’s customers informed its Security Incidence Response Team (SIRT). The customers alerted the team of a foiled attack from a group that claimed they are affiliated with the REvil. 

Larry Cashdollar, Akami’s SIRT vulnerability researcher, stated that the attacks have so far targeted a site by sending a wave of HTTP/2 FET requests with some cache-busting techniques, overwhelming the websites in the process.

According to Cachdollar, the requests have business/political demands, a Bitcoin (BTC), and embedded demand for payments.

Although the threat actors claim to be REvil, the attacks this time seems smaller than other past campaigns by the group, which makes it doubtful, the researchers noted.

The Attack Seems To Have A Political Motivation 

The researchers stated that the nature of the attack makes it look political. This makes it inconsistent with the REvil method, which the original group claimed was motivated by financial gains.

The REvil group stopped operating in July 2021, after causing several data leaks and DDoS attacks for several tears. The group is a Russia-based ransom-as-a-service (RaaS) hacking syndicate, highly known for its high-profile attacks against Apple Computer, JBS Foods, and Kaseya.

After hitting several major organizations hard, authorities decided to go hard against the group, leading to the arrest of several members of the group by Europol. But in March this year, Russia came out to claim responsibility for dismantling the group. Before Europol’s operations, Russia has done nothing to prevent or mitigate the actions of the group. 

One of the members arrested at the time played a very important role in the successful operation of the ransomware group DarkSide. The campaign in May 2021 hit the servers of Colonial Pipeline. To get its data and files back, the company had to pay $5 million as a ransom. 

In the latest DDoS attack, the victim was asked to send the BTC payment to a wallet address that isn’t connected to any known BTC and has no history.

Additionally, the attack has a geospecific demand that requests and targets the company to cease business operations across the country. In particular, the threat actors threatened to execute a follow-up attack that will impact global businesses if their demands are not met and if the victim fails to pay the ransom.

It Could Be A Copycat Attack

REvil has used DDoS in its previous attacks as a way of executing a triple extortion tactic. However, it appears that the DDoS attack is the only link the present attackers have with the notorious REvil gang. Cashdollar stated that the attack doesn’t seem to be the work of a ransomware group, except it is the beginning of a completely new operation by the group. 

Generally, REvil’s operational method is to have access to the organization or target network and steal sensitive data or encrypt them. After gaining control of the network, they post a ransomware demand, informing the victim to pay up or risk exposing the data to the public. In several cases, the Revil group target critical organizations that will lose a lot if the stolen data eventually gets into the hands of the public. 

The REvil Gang Could Be Trying A New Business Model

The notorious gang is known for using several darknet sites and forums to sell or expose any data where the owners did not cooperate with them.

However, the method seen in the latest attacks “strays from their normal tactics.” According to Cashdollar, there is no indication of ransomware in the latest incident, but the REvil group is notorious for using the RaaS approach. Additionally, the REvil group has not been linked to a political campaign, but the present attack is linked to political motivation.

Cashdollar says these are some of the aspects that point that the hacking group is only a copycat of the notorious REvil gang. However, another aspect of the situation has been considered. The researcher said the attack could be a resurgence of the REvil group as they seek to enter a new business model.