Attackers are relentlessly attacking targets with ransom notes and manipulating the stock price of targeted companies. These notes were part of a string_of_text directed to CEOs. 

Recently, a DDoS ransomware threat actor has brought down a single website with up to 2.5 million requests per second. The threat actor has targeted one of the customers of Imperva. A researcher noted that these requests included multiple ransom notes that kept updating with time.

  • The first note is sent right before the start of the DDoS attack. By the time the note is delivered, the attack has already started targeting systems. It is designed to create a top-priority need so that victims pay.
  • A message also goes to the bosses, a message that says the bosses will have to pay one Bitcoin a day if they want the attacks to be stopped.
  • Some of the messages were signed off with revil_this_is_our_dominion, the sign-off indicates the REvil RaaS group is behind the attack or perhaps these messages are from an imposter

A day after the attacks, the threat actors sent 15 million requests to the same site; this time warning the CEO that the company’s stock price would crash by hundreds of millions

Initial evidence points out the Meris botnet carrying out these DDoS attacks. The botnet uses thousands of IoT devices hacked because of an old vulnerability called CVE-2018-14847 existing in MicroTik routers. 

The attackers are exploiting the vulnerability even though it was discovered years ago.