Imperva, a cyber security software and services company has thwarted a massive 2.5 million RPS (requests per second) ransom DDoS attack, the company has revealed.

Ransom DDoS attacks (DDoS aka distributed denial of service) are nothing new, but lately, there has been a sudden surge in their incidences. As per a new report from cybersecurity firm Imperva, the company recently thwarted a massive 2.5 million RPS (requests per second) ransom DDoS attack.

Incident Details

According to the details shared by Imperva’s security analyst Nelli Klepfish, the entity against which the DDoS attack was targeted received multiple ransom notes during the attack. Klepfish noted that the company paid the attackers in bitcoin to remain online and prevent the loss of “hundreds of millions” in market cap.

Imperva Successfully Mitigated 2.5 Million RPS Ransom DDoS Attacks
One of the ransom notes Imperva’s targeted customer received.

Imperva mitigated more than 12 million embedded requests targeting the company’s main website with random URLs. Furthermore, researchers identified threatening messages that were part of the requests as the attackers demanded ransom.

The same day, on the same site, according to Imperva’s blog post, it again thwarted more than 15 million requests however, this time the URL contained a different message. But, the attackers used somewhat similar threat tactics, warning the company’s CEO for devastating consequences, such as the company’s stock price plummeting if they don’t pay up the ransom.

Imperva Successfully Mitigated 2.5 Million RPS Ransom DDoS Attacks
A series of messages plus a ransom note that Imperva shared on its blog post.

The most devastating attack lasted one minute, while Imperva measured 2.5 million RPS (1.5Gbps of TCP traffic in terms of bandwidth) as the highest number of requests received. The company successfully addressed 64 million requests in one minute.

A similar attack was sustained by the targeted entity’s sister site, which lasted for 10 minutes. They observed that the attackers constantly changed their attack tactics and ransom notes to avoid mitigation.

Further probe revealed that the DDoS attack originated from the Meris botnet that leveraged a now patched security flaw in Mikrotik routers. The vulnerability is classified as CVE-2018-14847.

It is worth noting that last year, the Meris botnet was also used in one of the largest DDoS attacks on Yandex, a Russia-based technology and search engine giant.

As for Imperva; the company identified about 34,815 sources of attack’s origin. The attacks lasted for several days, sometimes even lasting for several hours in a day. In 20% of the cases Imperva observed, the attackers launched 90 to 750 thousand RPS. Top attack sources include the following countries:

  1. India
  2. China
  3. Brazil
  4. Russia
  5. Mexico
  6. Thailand
  7. Colombia
  8. Argentina
  9. Indonesia
  10. United States

Was REvil Group Involved?

Imperva reported an interesting fact that the attackers claimed to be members of the infamous RaaS (ransomware-as-a-service) gang REvil. However, according to Imperva’s research, it is not yet confirmed that the claims are made by the original REvil operators or some imposter. That’s because the REvil ransomware gang recently suffered a setback after several of its members were arrested in Russia and some in Romania, Ukraine, and Kuwait.

More Ransom-based DDoS Attack News

  1. DDoS Ransom Notes, to Honor or Not to Honor?
  2. DDoS Attacks Now Launched with Monero Ransom Notes
  3. Attacker demands ransom after series of DDoS attacks on Poker site
  4. Canadian firm VoIP.ms hit by non-stop extortion-based DDoS attacks
  5. Bandwidth.com is latest victim of nonstop DDoS attacks against VoIP

This ransom DDoS attack is the second such activity involving botnets that Imperva has thwarted since January 2022. Previously the company averted a web scraping attack against a job listing platform.

In that incident, the attacker used a large-scale botnet comprising over 400 million bot requests from approximately 400,000 unique IP addresses over four days to steal job applicants’ profiles.

Posted by Charlie