UK's VoIP Unlimited hit by DDoSes again, weeks after ransom-linked attacks KO'd it

A British VoIP firm has staggered back to its feet after being smacked with a series of apparent DDoSes a month after suffering a series of sustained attacks it said were delivered by the REvil ransomware gang.

In an update at 11:56 UK time, it said it was "continuing to suffer from large scale DDoS attacks. VoIP Unlimited engineers are continuing to mitigate the impact on services."

Voip Unlimited's services went down in September at the time of the initial attack, with managing director Mark Pillow saying at the time he was "extremely sorry for all inconvenience caused".

The downtime yesterday and this morning came about after "an alarmingly large and sophisticated DDoS attack attached to a colossal ransom demand" which it said it believed was sent by the REvil ransomware gang – which had apparently attacked other UK VoIP providers at the same time.

Voip Unlimited declined to comment today. At the time of writing some of its services had come back online.

A Reg reader who is a customer of the firm told us last night that issues "started at about 15:30 [yesterday] as intermittent connectivity - it's now ramping up to complete loss of service."

Another told us "Voip Exchange and Data connectivity customers" were being targeted with "some services seemingly being impacted since Wednesday".

• Ransomware crim: Yeah, what I do is bad. No, I don't care. Yes, infosec bods are all mouth and no trousers
• New Zealand hospitals infected by ransomware, cancel some surgeries
• REvil customers complain ransomware gang uses backdoors to filch ransoms
• Confessions of a ransomware negotiator: Well, somebody's got to talk to the criminals holding data hostage

Although REvil is best known for distributing ransomware, which infects a target organisation's network and encrypts its contents, extortion-based DDoSes are a relatively new pivot for the criminal gang. What appears to be the same criminal gang targeted a Canadian firm in mid-September, calling itself REvil and demanding 1 bitcoin (at the time worth $45,000) to stop the attacks.

Infosec firm Cyjax reckoned a free decrpytor for REvil's flagship ransomware was released in mid-September, providing a possible clue about why the gang has added old-fashioned RDoSing to its criminal portfolio. Naturally, it's not impossible that an enterprising group of cybercrims are trading off REvil's reputation for their own gain.

Ransom denial-of-service (RDoS) attacks are gradually scaling up across the world. The attack form revolves around the availability of DDoSaaSes (DDoS as-a-service services), known on a smaller scale as booters. Large-scale DDoSes tend to need large botnets only available to bigger players who don't feel the need to rent out their infrastructure to others who might get it noticed and shut down; or those based in countries which don't care so long as the botnets aren't pointed inside their borders.

Infosec analysts at TrendMicro said in a recent report that multilevel extortion schemes were becoming increasingly common amongst ransomware makers. The firm described it as the third layer following "a straightforward formula: adding DDoS attacks to the ... encryption and data exposure threats." It said it was "first performed by SunCrypt and RagnarLocker operators in the latter half of 2020 and that REvil (aka Sodinokibi) was "also looking into including DDoS attacks in their extortion strategy" in June this year. ®