Is REvil having a resurgence, or is there a copycat hacking group?
Cybersecurity company Akamai has found one of their clients has suffered a DDoS attack at the hands of a group claiming to be REvil.
According to a report released by cybersecurity company Akamai, one of its customers is currently experiencing a DDoS attack being carried out by Russian-affiliated hacking group REvil. REvil was thought to have been taken offline after several members were arrested earlier this year, leading some to believe the hacking group is simply a copycat operating the REvil name.
Per an Akamai press release, the company’s Security Intelligence Response Team (SIRT) was alerted to a Layer 7 attack on one of its customers in the hospitality industry and that the group behind it was claiming to be associated with REvil.
“It’s hard to tell [whether it is REvil or a copycat], attribution is difficult, especially in DDoS,” said Chad Seaman, Security Intelligence Response Team Engineer at Akamai. “This campaign compared to previously reported campaigns do have different traits that would suggest it isn’t the same group that launched the previously documented REvil attacks, but it’s hard to tell if those were even truly REvil to be honest.”
How the DDoS attack is being carried out
The cybersecurity company says it was first made aware of the hack on May 12, 2022, when a customer of Akamai contacted the SIRT team about the DDoS attack and believed it to be coming from a group associated with REvil. The attack in question was a coordinated one, targeting a website by sending a wave of HTTP/2 GET requests with cache-busting techniques in order to overwhelm the application. Traffic to the site reached a peak of 15kRps according to Akamai, with the request including a demand of payment in Bitcoin.
The message included the claim that the attacks would cease once the ransom was paid in Bitcoin to a wallet address, and a subsequent demand that the company stop operating in a certain country that was unspecified in the press release. Akamai believed the attack to be associated with REvil due to the similar patterns to the Russian-hacking group, as “revil” was made part of the URL in the demands directed at operations teams and executives of the affected company.
Additionally, the request has a unique eight-character string appended to the end of it according to the SIRT team, which is part of a typical cache-busting technique used to make each site request unique so that they are not cached and must be retrieved from the original web server.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Is this attack the work of a copycat group?
Akamai says that while this method of attack aligns with ones previously carried out by REvil, they believe the reason for the DDoS to be a governmental one, which conflicts with REvil’s past motivations for attacking companies. One of the main reasons this attack is believed to be carried out by a copycat group is due to REvil previously claiming to be purely driven by monetary reasons and not political ones.
The cybersecurity company says this may be a part of REvil testing whether politically motivated DDoS attacks can be profitable ones or simply a copycat group recycling old hacking methods to scare executives into paying ransoms due to the cache the name REvil carries.
While it is not entirely clear at this time whether this attack is the work of members from the REvil, or an unaffiliated group trying to score a payday off the name of a well-publicized cybercriminal collective that has been disbanded for months now. Either way, companies need to be prepared in case they are the next targets for this group’s hacking attempts.