An internet phone services company based in Quebec suffered a distributed denial of service (DDoS) attack last week – and though the attackers claim to be the same group behind the infamous ransomware gang REvil, experts beg to differ.
Communications company VoIP.ms revealed in a statement on its website earlier this week that it was struck by a DDoS attack last Thursday, and that its team has been responding to the attack since. The DDoS attack disrupted telephony services by affecting the company’s DNS, which prevented VoIP.ms’ clients from receiving or making phone calls.
Because its DNS stopped worked following the attack, VoIP.ms advised its clients to modify their HOSTS file to point the domain at their IP address to bypass the DNS resolution, allowing them to use the phone services. But this only left the company’s clients vulnerable to direct DDoS attacks from the attackers.
BleepingComputer reported that on September 18, a threat actor claimed responsibility for the cyberattack on VoIP.ms. The threat actor, named “REvil,” posted a link to a ransom note uploaded to Pastebin. While the note has since been removed from Pastebin, BleepingComputer was informed that the ransom note demanded a payment of one bitcoin, or about US$45,000, to stop the DDoS attacks.
A Twitter message from “REvil” posted on September 18 said that VoIP.ms is “completely responsible for the stress and damage to their customers and businesses” because of the company’s “inaction and poor handling” of the disruption. The threat actor also indicated that it had made an initial offer and warned VoIP.ms twice, and that the company ignored the first two warnings.
The threat actor later posted a new tweet about an hour and a half after the first, which said that it had raised its extortion demand to 100 bitcoins.
“REvil” shares its name with the ransomware group REvil, but BleepingComputer noted that REvil the ransomware group is not known for DDoS attacks or publicly demanding ransoms.
“This attack's method of extortion makes us believe that the threat actors are simply impersonating the ransomware operation to intimidate VoIP.ms further,” the cybersecurity news portal said, adding that it had reached out to VoIP.ms for comment on the matter, but did not receive a timely response.