I. Targeted Entities

• Akami Technologies Incorporated and customers

II. Introduction

A recent denial of service (DDoS) campaign against a hospitality customer of Akamai, a cloud networking provider, and the defunct REvil ransomware gang claiming responsibility for it. It should be noted that researchers believe there is a high probability that the attack is not a resurgence of the infamous cybercriminal group but rather a copycat operation.

III. Background Information

Akamai researchers have been monitoring the DDoS attack since May 12^th, when a customer alerted the company’s Security Incident Response Team (SIRT) of an attempted attack by a group purporting to be REvil. The requests contain demands for payment, a bitcoin wallet, and business/political demands.[1] While the attackers claim to be REvil, it is not clear if the defunct group is responsible for the attacks, given that the attacks seem smaller than previous attacks that the group claimed responsibility for. The apparent political motivation behind the DDoS campaign is also inconsistent with REvil’s M.O.

REvil, which hasn’t been seen since July 2021, was a Russia-based ransomware-as-a-service (RaaS) group well-known for its attacks against Kaseya, JBS Foods, and Apple.[2] The disruptive nature of their attacks caused international authorities to take measures against the group, with Europol arresting a number of cybercriminals in November of 2021.[2] In March 2022, Russia, who up until then had done little to stop REvil’s operations, claimed responsibility for fully toppling the group at the behest of the U.S. government, arresting its individual members. One person arrested was instrumental in helping the ransomware group DarkSide, the group responsible for the Colonial Pipeline attack in May of 2021.[2]

The recent DDoS attack, which would be a shift in strategy for REvil, was comprised of a HTTP GET request in which the request path contained a message to the target containing a 554-byte message demanding payment. The victim was directed to send the bitcoin payment to a wallet address that “currently has no history and is not tied to any previously known bitcoin.”[2] The attack also has an additional geospecific demand that requested the targeted company to cease business operations across an entire country. The attackers threatened to launch follow-up attacks that would affect global business operations if the demand was not met and the ransom not paid in a specific amount of time.[2]

There is a precedent for REvil using DDos in its previous attacks, but it does not appear that this attack is the work of REvil. REvil’s M.O. was to gain access to a target network or organization and encrypt or steal sensitive data, demanding payment to decrypt or prevent information leakage to the highest bidders or threatening public disclosure of sensitive or damaging information. The technique in this attack is different from their normal strategy. The political motivation tied to the attack, which is linked to a legal ruling about the targeted company’s business model, also goes against REvil’s normal tactics, with leaders in the past saying that they were purely profit-driven.[2] However, it is possible that REvil is seeking a resurgence by trying out a new business model of DDoS extortion. However, what is more likely is cybercriminals using the name of a notorious cybercriminal group to frighten the targeted organization into meeting their demands.[2]

IV. MITRE ATT&CK

• T1498– Network Denial of Service
  This type of attack involves the adversary blocking the availability of targeted resources to users of a system. In this case, the adversary exhausted the network bandwidth that Akamai customers relied on and demanded payment to end this attack.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Monitor Malware
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because the HTTP GET request headers are out of order when compared to “typical” patterns, a custom-developed DDoS attack tool is assumed to be used, and it is possible that the values might change between campaigns. As such, Larry Cashdollar, a researcher at Akamai, says that writing signatures for these patterns may not benefit defenders from an IOC standpoint. More information can be found at the link below:

https://www.akamai.com/blog/security/revil-resurgence-or-copycat

VII. References

(1) Cashdollar, Larry. “REvil Resurgence? Or a Copycat?” Akamai Blog. Akamai Technologies, May 25, 2022. https://www.akamai.com/blog/security/revil-resurgence-or-copycat.

(2) Montalbano, Elizabeth. “Cybergang Claims Revil Is Back, Executes DDoS Attacks.” Threatpost English Global, May 26, 2022. https://threatpost.com/cybergang-claims-revil-is-back-executes-ddos-attacks/179734/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.