Ransom Denial-of-Service (RDoS) campaigns in 2022 are becoming increasingly sophisticated while threat actors are leveraging advanced tactics to pressure their victims. Some of the more concerning RDoS attacks have come from groups claiming to be Phantom Squad and REvil.

This is according to the “Ransom Denial-of-Service (RDoS) 2022” report by cybersecurity and application delivery solution provider Radware. The research was conducted using threat intelligence tools that provide deep dark web monitoring as well as first-hand experiences responding to and mitigating attacks from Ransom Denial-of-Service threat groups.

Some are taking advantage of the heightened cybersecurity concerns and are now impersonating notorious threat groups and sending out ransom threats, some with no intention of launching an attack, hoping to make a profit.

Radware has observed fake RDoS threat groups or a new threat group leveraging the name and tactics, techniques, and procedures (TTPs) of the former campaign. One recent instance is the emergence of a ransom letter on May 22nd that appeared identical to a 2017 letter from Phantom Squad impersonators that never carried out the attack they described and instead sowed fear. 

The only difference between both letters is the addition of a targeting section, where the threat group provides IP addresses and domain names of their intended targets.

“Determining a threat’s validity is difficult, but several indicators can be used to determine the risk. Indicators such as how many victims are targeted, how high or low the ransom demand is, and if a demonstration attack was observed,” Radware’s report stated. “Unfortunately, it is still unknown how many organizations have received the current letter in circulation at the time of writing. Radware knows that only one group of victims was targeted and no attacks have been reported. But one suspicious indicator stands out in the current ransom letter: the Bitcoin address.”

The Bitcoin address used in the recent ransom letter from the group claiming to be Phantom Squad corresponds to a dormant wallet once used during the notorious WannaCry ransomware campaign in 2017. However, the current RDoS campaign is likely using the wallet, its transactions, and the value to spread fear for yet unknown reasons, according to the report. 

Also, a renewed campaign of RDoS attacks by a group claiming to be REvil emerged in the first quarter of 2022. In addition to sending warning ransom notes, the group also embedded the ransom note and demands in the attack payload. 

In early May 2022, Radware was notified of an RDoS attack with a ransom message embedded in the URL, signed with “REvil, this is our dominion.” The ransom note differs from earlier reported notes, and the threat actors seem to be customizing their demands and messages based on the targetted victim.

“RDoS threat groups posing as Phantom Squad and REvil appear to be targeting organizations in Europe, the United States and Asia. And while the 2017 Phantom Squad campaign went without actual DDoS assaults, we still recommend organizations to stay vigilant,” said Daniel Smith, the head of research for Radware’s cyber threat intelligence division. “The group posing as REvil has been launching large-scale DDoS attacks and using advanced tactics to pressure its victims. Last year, we noted that RDoS has become a persistent threat, and we do not expect this to change any time soon.”