Cybercrime , Cybercrime as-a-service , DDoS Protection

Dayslong DDoS Attack With Embedded Ransom Note Mitigated

Meris Botnet Used; Gang Purporting to Be REvil Claims Responsibility
Dayslong DDoS Attack With Embedded Ransom Note Mitigated
Sample ransom note received before the attack began (Source: Imperva)

An undisclosed website was the victim of a massive, dayslong distributed denial-of-service attack. The threat actors attacked the website at the rate of 2.5 million requests per second.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

An interesting detail is that the attackers included a ransom note as part of the attack itself, rather than contacting the victim separately, "perhaps as a reminder to the target to send their bitcoin payment," say the researchers at cybersecurity company Imperva. The researchers say the attack has now been mitigated.


Based on the ransomware note, the attack may have been perpetrated by ransomware-as-a-service operator REvil.

The threat actor, as part of the latest attack, claimed responsibility for a different attack on service provider Bandwidth. The Imperva researchers, however, say that they have not established whether the attackers are indeed part of the original REvil group.

The Meris botnet, they add, played a key role in this attack.

The botnet activity was first observed by cybersecurity firms Qrator Labs and Cloudflare in huge waves of DDoS attacks. At its peak, the DDoS attack signatures that these firms monitored saw a spike of nearly 17.2 million to 21.8 million requests per second (see: Mēris: How to Stop the Most Powerful Botnet on Record).

Attack Details

The targeted company was hit by several DDoS attacks on the same day, the researchers say, without specifying when the attack began. The largest of the attacks, they say, lasted for less than a minute and measured up to 2.5 Mrps.

"Multiple sites from the same company came under attack, with one site sustaining an attack lasting around 10 minutes. The attackers applied sophisticated tactics to avert mitigation with the ransom messages and attack vectors changing constantly. At the same time, to shock the target, the payment amounts demanded kept increasing in size," the researchers say.

The attacks continued for several days, sometimes lasting up to several hours; in 20% of cases, the attack reached between 90,000 and 750,000 requests per second.

The researchers say they mitigated more than 12 million embedded requests targeting random URLs on the same site. The threats didn't stop the following day either. On the second day, the researchers say they mitigated more than 15 million requests, with the URL containing a different message but using the same scare tactics. They warned the CEO that the company's stock price would be destroyed if they didn't pay up.

Imperva researchers say that, often, victims receive the embedded ransom note after the attack is already underway. The note, they say, adds to the sense of urgency among victims to pay up.

"While ransom DDoS attacks are not new, they appear to be evolving and becoming more interesting with time and with each new phase. For example, we’ve seen instances where the ransom note is included in the attack itself embedded into a URL request," the researchers say.

In the latest case, the target also received several warning ransom notes before the first attack began, Imperva researchers say.

They did not specify how much ransom was sought or if the victim paid.

These attacks originated from 34,815 sources, with 2 million requests per IP sent from the top sources during the attack, the researchers say.

"The top source locations for the 2.5 Mrps attack were Indonesia, followed by the United States. And we have seen a pattern emerging of almost identical source locations for different attacks indicating that the same botnet was used many times," they say.

An analysis of the attack pattern against other such incidents showed that "each of the targets receives a unique bitcoin address, but they are all part of the same coordinated attack," the researchers add.

Also, the attackers have been targeting sites of businesses focused on sales and communication in the U.S, and Europe, the researchers say. The common denominator is that all these companies are listed on stock exchanges, which is a factor the threat actors use to their advantage, as a DDoS attack could potentially damage the company stock price significantly.

Past Findings

In February, Imperva and cybersecurity firm Check Point released reports on botnet attacks that affected multiple organizations, resulting in web scraping as well as theft of financial information. They included a massive bot attack used to scrape data from job listing sites, and a TrickBot malware attack that targeted 60 high-profile companies (see: Massive Bot Attack Generates 400 Million Requests in 4 Days).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.