Attackers are bombarding targets with multiple ransom notes to extort and also manipulate the stock price of targeted companies. These notes were added as a string_of_text directed to CEOs.

The DDoS attack and ransom note

Recently, a DDoS ransomware threat actor targeting one of the customers of Imperva crippled a single website with up to 2.5 million requests per second. Within these requests, a researcher observed multiple ransom notes that kept updating with time.
  • The first note is sent just before the launch of a DDoS attack. By the time the target receives the note, the attack is already making its way into targeted systems. This is to create a sense of urgency for the victims to pay.
  • A message is also addressed to the bosses stating that they will have to pay one Bitcoin a day if they wish attackers to stop the attacks.
  • Some of the embedded messages were signed as revil_this_is_our_dominion, suggesting that the attacks may be related to the REvil RaaS group or maybe these messages are coming from an imposter.

Threats to tank stock values

A day after the attacks, the attackers sent 15 million requests to the same site with a new message that warned the CEO to tank the company’s stock price by hundreds of millions in market cap.

Who is behind the attack?

  • Based on the evidence, the DDoS attacks came from the Meris botnet that uses thousands of IoT devices hijacked due to a years-old vulnerability tracked as CVE-2018-14847 in MicroTik routers.
  • It's been a while since the flaw was disclosed, however, attackers are still exploiting it.


Cybercriminals are becoming innovative with their techniques to target bigger firms with impersonation attacks. Thus, organizations are suggested to invest sufficiently in their network security systems to stay protected.
Cyware Publisher