Let's play everyone's favorite game: REvil? Or Not REvil?

Akamai has spoken of a distributed denial of service (DDoS) assault against one of its customers during which the attackers astonishingly claimed to be associated with REvil, the notorious ransomware-as-a-service gang.

REvil was behind the JBS and Kaseya malware infections last year. In January, Russia reportedly dismantled REvil's networks and arrested 14 of its alleged members, theoretically putting an end to the criminal operation. 

Beginning in late April, however, the same group of miscreants — or some copycats  — appeared to resume their regularly scheduled ransomware activities with a new website for leaking data stolen from victims, and fresh malicious code.

Then, earlier this month, Akamai's Security Intelligence Response Team got called in to help clean up a Layer 7 attack on one of the vendor's hospitality customers by a group claiming to be connected to REvil. So, REvil? Or not REvil? Let's look at the evidence.

According to Akamai Security Intelligence Response Team member Larry Cashdollar, the incident was a coordinated DDoS attack — not involving ransomware and data encryption. It consisted of waves of HTTP/2 GET requests that included a 554-byte message demanding payment in Bitcoin, to be transferred to a given wallet address, for the attack to stop.

DDoS: The new ransomware attack

This all sounds similar to another DDoS attack reported by Imperva in March, in which crooks also demanded a ransom to stop the traffic floods, and included the string "revil" in the URL as part of the extortion message. 

It's likely the crooks used "revil" in the request string to incite fear and swift payment. As Imperva's threat hunters noted: "It is not clear however whether the threats were really made by the original REvil group or by an imposter."

Imperva also said there was a "strong indication" that the criminals used the Meris botnet in that DDoS attack, and Cashdollar noted that the number of MikroTik devices identified in the flood Akamai witnessed could indicate a Meris botnet attack. However, he concluded "it's hard to confirm or deny this claim." 

• Alleged REvil suspect extradited on ransomware spree charges
• Russia starts playing by the rules: FSB busts 14 REvil ransomware suspects
• Fresh ransomware samples indicate REvil is back
• REvil resurrected? Ransomware crew appears to be back. Keyword: Appears

The Akamai-documented attack also took a strange, un-REvil-sounding political turn.

Crooks made 'geospecific demand'

This happened when the crooks made "an additional geospecific demand, requesting the targeted company cease business operations across an entire country," Cashdollar wrote. They also threatened a follow-up attack that would hit the businesses' global operations if the victim did not "comply with the business/political demands" and pay the ransom.

Some other noteworthy details about the attack: while the GET request path containing the extortion demand was static, it included a randomly generated, unique eight-character string at the end in an attempt to avoid bypass caching. Also, the Bitcoin wallet in the demand wasn't one known to be used by REvil.

"Additionally, the 'Accept' request header contained a long static list of accepted media types across all requests during the attack," Cashdollar wrote. This "somewhat unique" combination and order may help fingerprint attack sources in the future. 

Plus, the GET request headers were out of order, compared to "typical" DDoS attacks, potentially indicating a custom-developed tool.

We're voting not REvil

If this was a REvil attack, it would be "new type of operation for the group," according to Cashdollar. While REvil has used DDoS for triple extortion in the past – pay up to stop network flooding as well as keeping the encrypted data private – the lack of an intrusion, document encryption, and file theft all lean decidedly toward this not being REvil.

Plus this attack seems at least partially politically motivated while "REvil has openly proclaimed that they're purely profit-driven," Cashdollar wrote. 

And while the Akamai security researchers can't say definitively, Cashdollar seems to imply that it's most likely a case of using REvil-linked scare tactics to extort payment, as opposed to being an actual REvil resurgence. 

As he noted, "what better way to scare your victim into payment than leveraging the name of a notable group that strikes fear into the hearts of organizations' executives and security teams across wide swaths of industry." ®