Imperva thwarts 2.5 million DDoS extortion attacks with RPS ransom

Cybersecurity firm Imperva said Friday that it recently mitigated a distributed denial-of-service (DDoS) ransomware attack targeting an unnamed website that peaked at 2.5 million requests per second (RPS).

“While ransomware DDoS attacks aren’t new, they seem to evolve and become more interesting over time and with each new phase,” said Nelli Klepfish, security analyst at Imperva, noted. “For example, we have seen cases where the ransom note is included in the attack itself embedded in a URL request.”

The main sources of the attacks came from Indonesia, followed by the United States, China, Brazil, India, Colombia, Russia, Thailand, Mexico and Argentina.

Distributed Denial of Service (DDoS) attacks are a subcategory of Denial of Service (DoS) attacks in which an army of connected online devices, known as a botnet, is used to overwhelm a target website with fake traffic in an attempt. to make it unavailable to legitimate users.

Automatic GitHub backups

The California-based company said the affected entity received multiple ransom notes included as part of the DDoS attacks, demanding the company make a payment in bitcoins to stay online and avoid losing “hundreds of millions of capitalization stock market”.

In an interesting twist, the attackers call themselves REvil, the infamous ransomware-as-a-service cartel that suffered a major setback after a number of its operators were arrested by Russian law enforcement authorities. laws at the beginning of January.

“However, it’s unclear whether the threats were really made by the original REvil band or by an impostor,” Klepfish noted.

DDoS Ransom Extortion Attacks
Origins of attacks

The 2.5 million RPS attack reportedly lasted less than a minute, with one of the sister sites operated by the same company suffering a similar attack that lasted around 10 minutes, even as the tactics employed were constantly changed to avoid possible attenuation.

Evidence collected by Imperva points to DDoS attacks originating from the Mēris botnet, which continued to exploit a now-resolved security vulnerability in Mikrotik routers (CVE-2018-14847) to hit targets, including Yandex.

“The types of sites that threat actors seek appear to be commercial sites focused on sales and communications,” Klepfish said. “Targets tend to be based in the US or Europe, the one thing they all have in common is that they are all publicly traded companies and threat actors use this to their advantage by referring to the potential damage a DDoS attack could cause to the company’s stock price.”

Prevent data breaches

The findings come as malicious actors have been spotted weaponizing a new amplification technique called TCP Middlebox Reflection for the very first time in the wild to hit the banking, travel, gaming, media sectors. and web hosting with a flood of fake traffic.

The ransom DDoS attack is also the second botnet-related activity Imperva has avoided since the start of the year, with the company detailing a web-scraping attack that targeted an unidentified job listing platform in late January. .

“The attacker used a large-scale botnet, generating no less than 400 million bot requests from nearly 400,000 unique IP addresses over four days with the aim of harvesting profiles of job seekers,” said said the security company. noted.

Comments are closed.