Cybersecurity firm Imperva reported on Friday that it successfully mitigated a substantial ransom distributed denial-of-service (DDoS) attack aimed at an undisclosed target, which peaked at a staggering 2.5 million requests per second (RPS).
Nelli Klepfish, a security analyst at Imperva, noted the evolving nature of ransom DDoS attacks, stating, “While these attacks are not new, they are becoming increasingly sophisticated with each iteration.” Notably, some of the ransom demands are now even embedded in the URLs of the DDoS traffic itself.
The primary origins of this attack were traced back to Indonesia, with significant contributions from the United States, China, Brazil, India, Colombia, Russia, Thailand, Mexico, and Argentina.
DDoS attacks represent a subcategory of denial-of-service attacks wherein a network of connected devices, or a botnet, overwhelms a targeted website with excessive traffic, effectively rendering it inoperable for legitimate users.
The firm stated that the target received multiple ransom notes intertwined with the DDoS assault, demanding a Bitcoin payment to avert the disruption that could potentially inflict “hundreds of millions in market cap losses.”
Intriguingly, the attackers have adopted the name REvil, a notorious ransomware-as-a-service group that faced significant disruption following the arrest of several of its key players by Russian authorities earlier this January. However, Klepfish pointed out the uncertainty surrounding the authenticity of the attackers’ identity, suggesting that they may either be the original REvil group or impostors.
The attack, which lasted less than a minute, was complemented by a similar incident targeting one of the affiliate sites of the affected company, enduring for approximately ten minutes as the attackers continually adjusted their tactics to evade detection and mitigation efforts.
Evidence gathered by Imperva indicates that the DDoS attacks originated from the Mēris botnet, which exploits a previously addressed security flaw in Mikrotik routers (CVE-2018-14847). This botnet has previously targeted entities such as Yandex last September.
Klepfish emphasized that the attackers seem to focus primarily on business websites concentrated on sales and communication, typically targeting exchange-listed companies in the U.S. and Europe. The threat actors leverage the potential fallout on stock prices in their ransom demands, underscoring the financial impact a successful DDoS attack can have on a company.
The report highlights a growing trend of malicious actors utilizing amplification techniques such as TCP Middlebox Reflection, which has recently emerged in attacks against banking, travel, gaming, media, and web hosting sectors, inundating them with fake traffic.
This ransom DDoS attack marks the second instance of botnet-related activity that Imperva has thwarted this year, following a previous incident involving a large-scale web scraping attack aimed at an unidentified job listing platform, which generated 400 million bot requests from nearly 400,000 unique IP addresses over four days.
As organizations continue to face escalating cyber threats, the incident serves as a crucial reminder of the importance of robust cybersecurity measures and the potential ramifications of DDoS attacks on corporate stability and reputation.
