Cybersecurity company Imperva on Friday said it recently mitigated a ransom distributed denial-of-service (DDoS) attack targeting an unnamed website that peaked at 2. 5 million requests per second (RPS).
“While ransom DDoS attacks are not new, they appear to be evolving and becoming more interesting with time and with each new phase,” Nelli Klepfish, security analyst at Imperva, said. “For example, we’ve seen instances where the ransom note is included in the attack itself embedded into a URL request. “
The top sources of the attacks came from Indonesia, followed by the U.S., China, Brazil, India, Colombia, Russia, Thailand, Mexico, and Argentina.
Distributed Denial-of Service (DDoS), attacks, are subcategories of DoS attacks. In these attacks, an army of connected internet devices (known as a botnet) is used to flood a targeted website with fake traffic to make it unusable to legit users.
The California-headquartered firm said that the affected entity received multiple ransom notes included as part of the DDoS attacks, demanding the company make a bitcoin payment to stay online and avoid losing “hundreds of millions in market cap. “
In an interesting twist, the attackers are calling themselves REvil, the infamous ransomware-as-a-service cartel that suffered a major setback after a number of its operators were arrested by Russian law enforcement authorities earlier this January.
“It is not clear however whether the threats were really made by the original REvil group or by an imposter,” Klepfish noted.
The 2. 5 million RPS attack is said to have lasted less than a minute, with one of the sister sites operated by the same company sustaining a similar attack that lasted approximately 10 minutes, even as the tactics employed were constantly changed to avert possible mitigation.
Evidence gathered by Imperva points to the DDoS attacks originating from the Meris botnet, which has continued to leverage a now-addressed security vulnerability in Mikrotik routers (CVE-2018-14847) to strike targets, including Yandex.
” The threat actors seem to want sites that are primarily focused on communications and sales. Klepfish stated. Targets are usually U.S. or European-based. The one commonality is that all of them are exchange-listed companies. Threat actors then use this advantage to refer to potential damages a DDoS attack can do to the stock price. “
Malicious actors were spotted using a new amplifying technique, TCP Middlebox Reflection, to flood the web hosting, banking and media industries with fake traffic.
The ransom DDoS attack is also the second botnet-related activity averted by Imperva since the start of the year, what with the company detailing a web scraping attack that targeted an unidentified job listing platform in late January.
“The attacker used a large-scale botnet, generating no less than 400 million bot requests from nearly 400,000 unique IP addresses over four days with the intent of harvesting job seekers’ profiles,” the security firm said.