Massive Meris Botnet Embeds Ransomware Notes from REvil

Notes threatening to tank targeted companies’ stock price were embedded into the DDoS ransomware attacks as a string_of_text directed to CEOs and webops_geeks in the URL.

Hey webop_geeks, you_are_already_dead, a note claiming to be left by the REvil ransomware gang declared, embedded into the attack itself as a string of text in the URL for the extortion demand.

Imperva reported the interesting twist on Friday – one of several it’s seen in the evolution of distributed denial-of-service (DDoS) attacks so far this year.

In a post that detailed mitigation of a recent attack that hit up to 2.5 Mrps (millions of requests per second) on a single website, Imperva’s Nelli Klepfish shared several chest-thumping ransom notes – a screen capture of one is included below – that its targeted customer received before the attack started.

A ransomware note ransom note embedded into the attack’s URL extortion demand. Source: Imperva.

Infosec Insiders Newsletter

“We are observing more cases like this where the ransom note has been included as part of the attack itself, perhaps as a reminder to the target to send their bitcoin payment,” Klepfish wrote. “Of course, once the target receives this note, the attack is already underway, adding a sense of urgency to the threat.”

This was only one of several threatening ransom notes the target received before the 2.5 Mrps DDoS attack began, and the specific message shown above was one of more than 12 million embedded requests that targeted random pages on the same site.

The 2.5 Mbps attack was the highest pitter-patter Imperva’s ever wrangled, but it’s nowhere near the highest ever. That undesirable trophy likely goes to the 2.5 Tbps DDoS that hit Google in September 2017, sending 167 Mps to 180,000 exposed CLDAP, DNS, and SNMP servers that turned around and sent back big, choke-you packets.

“While ransom DDoS attacks are not new, they appear to be evolving and becoming more interesting with time and with each new phase,” Imperva observed.

Another threatening message, shown below, told “webops_geeks” to inform their bosses that they’d need to start coughing up 1 Bitcoin a day – worth the tidy sum of about USD $40K, as of Friday – if they wanted to stay online. It, and other embedded messages, were signed “revil_this_is_our_dominion.”

Another message incorporated into one of the targeted URLs. Source: Imperva.

Whether or not the attacks have anything to do with the REvil ransomware-as-a-service (RaaS) gang or are just coming from an imposter is anybody’s guess. Russia made a show of busting up REvil in January, with its Federal Security Service (FSB) claiming to have raided gang hideouts; seized currency, cars and personnel; and neutralized REvil’s infrastructure at the request of the United States. But as these things go, cybercrook gangs are like blobs of jelly: You squeeze one end, and the action pops up somewhere else as members join other cybercriminal gangs.

REvil does have a history of DDoS ransomware, though. In October 2021, a British voice-over-IP (VoIP) firm – Voice Unlimited – was still recuperating a month after a series of apparent sustained DDoS attacks that were attributed to REvil.

Threatening to Tank Victim’s Stocks

The next day, the attackers sent over 15 million requests to the same site, this time with a new message that warned the CEO that the attackers would eviscerate the company’s stock price by “hundreds_of_millions_in_market_cap.”

Message threatening the stock price. Source: Imperva.

The attacks kept coming for several days, lasting up to several hours and, in 20 percent of cases, hitting between 90 and 750 thousand requests per second (Krps).

Born of the Brawny Meris Botnet

Evidence points to the DDoS attacks coming from the massive Meris botnet. Meris sucks its power out of the thousands of internet-of-things (IoT) devices that have been hijacked thanks to a years-old vulnerability, tracked as CVE-2018-14847, in MicroTik routers.

“Although CVE-2018-14847 was published a while ago, attackers can still take advantage of it,” Imperva pointed out.

And how. The Meris botnet was behind the record-breaking DDoS attack that targeted Russia’s version of Google – Yandex – in September 2021. Other targets for Meris in 2021 included cybersecurity media sites Krebs on Security and Infosecurity, as well as New Zealand banks, its post mail service and the country’s MetService weather service.

They’re all cases in point for the fact that DDoS attacks shattered records in Q3.

While the largest attack to hit Imperva’s customer reached 2.5 Mrps, the company blocked over 64 million requests in under one minute, as shown in the graph below:

Graph showing over 64 million requests blocked in under one minute. Source: Imperva.

The top originating countries were Indonesia and the United States, as shown in the pie chart below. “We have seen a pattern emerging of almost identical source locations for different attacks, indicating that the same botnet was used many times,” Imperva said.

The attacks took only seconds to mitigate, given that the sources, which impersonated legitimate browsers or a Google bot, were known to be malicious.

Top originating countries. Source: Imperva.

The threat actors focused on business sales and communications sites, mainly based in the United States or Europe, that had the commonality of being exchange-listed. All the better to scare you with threats to stock price, my dear, Imperva noted: “The threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the company stock price.”

Now is the time to prepare for an attack, Imperva warned, particularly given the threat actors’ promise – be they REvil or REvil wannabes – to keep hammering away.

Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.

Suggested articles