The REvil ransomware group often introduces new tactics to benefit itself and its affiliates. This time it has adopted a new tactic that its affiliates can use to exert even more pressure on victims.

What's new this time?

REvil operators are now utilizing DDoS attacks and making VOIP calls to victims' business partners and journalists.
  • This active campaign includes a free service where the group or affiliated partners will perform voice-scrambled VOIP calls to the media and victim's business partners with information about the attack to create additional pressure.
  • Moreover, the gang is providing a paid service that allows affiliates to perform Layer 3 and Layer 7 DDoS attacks against the victims.

Behind the scenes

In February, REvil operators had posted a job notice in which they were looking to recruit people to perform DDoS attacks and use VOIP calls to contact victims and their associated partners.

Related activities

The implementation of DDoS attacks by ransomware gangs has been observed in the past as well.
  • In January, the Avaddon ransomware gang was observed using DDoS attacks to take down a victim's network to force victims into paying the ransom.
  • The active use of DDoS attacks was first spotted in October 2020 by SunCrypt and Ragnar Locker ransomware operations.

Recent REvil activities


It would be safe to state that REvil will keep updating its tactics to maximize its profit. The use of DDoS attacks and VOIP calls by ransomware gangs basically creates extra pressure on the victims. It is inspiring several other gangs as well into utilizing these tactics.

Cyware Publisher