Of particular concern, according to Radware, is the fact that ransomware DoS (RDoS) groups are becoming more sophisticated and sophisticated, and launching increasingly complex attacks. There are early indications that Phantom Squad and REvil are active again.
In the past few months, Radware researchers have observed a significant increase in DDoS activity around the world. The tactics, techniques, and procedures (TTPs) employed by different groups are evolving, threatening target companies in the US, Asia, and Europe.
Is Phantom Squad back?
After a five-year hiatus, a new ransomware letter has been circulated, the analysis of which shows it has the typical characteristics of the Phantom Squad RDoS group. On May 22, 2022, a ransomware letter almost identical to the one used in the 2017 RDoS Phantom Squad campaigns surfaced. The only difference between the 2017 letter and the current 2022 version is that the threat group has an additional section providing the IP addresses and domain names of their intended targets. According to Radware, only one such letter has surfaced so far, with no reported or observed failures or demonstration attacks on the targeted victims.
REvil is also active again
At the same time, a group posing as REvil has resumed its campaign of RDoS attacks using HTTPS flood requests. Unlike Phantom Squad, this group not only threatens, but also causes damage. It first sends the targeted victim a warning ransom note and then proceeds to more advanced tactics. This includes embedding the ransom note in the attack payload. The group conducts high-frequency (several million requests per second) encrypted application-level attacks. These attacks last about five minutes and contain messages embedded in the request URL. The group posing as REvil was also spotted using Twitter last year to further pressure their victims.
Daniel Smith, Head of Research for Radware's Cyber Threat Intelligence group, comments: “RDoS groups posing as Phantom Squad and REvil appear to be targeting organizations in Europe, the US and Asia. While the 2017 Phantom Squad campaign did not involve any actual DDoS attacks, we still advise companies to be vigilant.”
More at Radware.com
About Radware Radware (NASDAQ: RDWR) is a global leader in application delivery and cybersecurity solutions for virtual, cloud and software-defined data centers. The company's award-winning portfolio secures the company-wide IT infrastructure and critical applications and ensures their availability. More than 12.500 enterprise and carrier customers worldwide benefit from Radware solutions to quickly adapt to market developments, maintain business continuity and maximize productivity at low cost.