REvil Strikes Again… Maybe

REvil Strikes Again… Maybe

On September 16th, the VoIP service provider; located in Quebec, Canada; was hit with a distributed denial of service (DDoS) attack. VoIP systems employ internet signals to send information over telephones and other communication devices, rather than conventional landlines. Even though landlines have a reputation for being more secure than VoIP phones, many firms will opt for using VoIP as it's easier to integrate into other internet based services they may use, and it gets rid of the need for separate wiring and infrastructure. The attackers initially asked for ransom in the form of a single Bitcoin, which was worth about $42,000 at the time. They then increased their demand to 100 Bitcoins, a cash value of roughly $42 million. The emails demanding payment were signed by the group--or someone masquerading as the group--REvil.

If you recall from our previous coverage of the ransomware attack on Kaseya, you'll remember that REvil is a Russian group of cyber criminals who have engaged in attacks like this in the past. It's worth noting, however, that there's currently no evidence to suggest this attack and the Kaseya attack were perpetrated by the same people. Lawrence Abrams, writing for the tech news site Bleeping Computer, states in his coverage of the attack that, "REvil is not known for DDoS attacks or publicly demanding ransoms, in a manner done in the attack. This attack's method of extortion makes us believe that the threat actors are simply impersonating the ransomware operation to intimidate further." In any case, this attack is illustrative of an especially crippling form of cyber attack, one that every firm needs to think about if they rely on VoIP or internet based systems generally.

What is DDoS?

A distributed denial of service attack occurs when a cyber criminal, or a group of cyber criminals, floods a server with requests. This is often accomplished with use of automated computers called bots that can send numerous requests repeatedly over a short span of time, more than any human user could conceivably produce. This has the effect of gunking up a server's capacity to handle internet traffic, leading to slow performance and crashes that make the server virtually impossible to use. In the case of VoIP providers, this could effect not only a firm's website or web-based operations but also their phones. Often attackers will agree to cease the DDoS attack if their demands are met.

Dealing with DDoS

There are many tools a firm can use to address and prevent DDoS attacks. The first is a security feature called rate limiting, in which traffic to a website is blocked if it fails to muster security protocols. The most common form of this is automatically blocking any IP address that attempts and fails repeatedly to log into a system. For example, if a firm has a website that's maintained by a dedicated webmaster with their own login credentials, anyone who tries to log into the website to make changes and fails to enter the proper credentials is blocked from sending more requests for a certain amount of time. Protocols like this can easily distinguish a real person from a bot by measuring the amount of attempts a user makes in a span of time. Someone who tries and fails to log into a website 50 or 100 times in the space of a few minutes is probably an automated program because no human being has the capacity of generating that many login attempts in such a short period. Many website development platforms, such as WordPress, often sport free security plugins to curtail bot attacks of this kind.

Another strategy is something called blackhole routing, in which a network administrator shunts web traffic into a dummy web route away from the main server, thus relieving the pressure generated by bot traffic. Blackhole routing is a tricky business though. Often these new routes can't discriminate between aggressive bot traffic and legitimate traffic, meaning that normal internet visitors are redirected away from the main site along with the bots. While it could conceivably solve the problem of overwhelmed servers, if any legitimate customers get redirected away from a site, the firm is in the same position as they were before--no one's going to be able to use their site because no one will be able to reach it.

These are just a two of several protocols that a firm could implement in the event of an attack. Still, prevention is better than treatment, so to speak, when dealing with the health of your network. A skilled and dedicated managed IT team like Titan Tech can create systems and protocols to prevent DDoS attacks and minimize the damage if they do occur. To learn more about what Titan Tech can do to protect your business, use their contact form to get in touch.

And join us next week for more tech news.