The threat actors target the voice over internet provider VoIP.ms with a DDoS attack and extort the company to end the onslaught that is severely disrupting the operation of the business.
VoIP.ms is an Internet telephone service company that provides affordable VoIP service to businesses around the world.
Telephone services interrupted while the site goes down
On September 16, 2021, VoIP.ms fell victim to a distributed denial of service attack targeting their infrastructure, including DNS name servers.
As customers configured their VoIP equipment to connect to the company’s domain name, the DDoS attack disrupted phone services, preventing them from receiving or making phone calls.
Since DNS was no longer working, the company advised customers to modify their HOSTS file to point the domain to their IP address in order to bypass DNS resolution.
However, it just led the threat actors to perform DDoS attacks directly to that IP address as well.
To mitigate the attacks, VoIP.ms has moved its website and DNS servers to Cloudflare, and although they have reported some success, the company site and VoIP infrastructure are still having issues due to the denial of service attack continues.
“A Distributed Denial of Service (DDoS) attack continues to target our websites and POP servers. Our team is making continuous efforts to stop this, but the service is intermittently affected. We apologize for any inconvenience,” says an announcement posted on the VoIP.ms.
At the time of this writing, the site is oscillating between accessibility and displaying an internal server error 500, as shown below.
Today, customers continue to experience issues with their phone service, including loss of service, dropped calls, poor performance, and the inability to transfer lines.
Threatening actors demand ransom
On September 18, a threat actor using the name “REvil” claimed responsibility for the attack and posted a link to a ransom note posted on Pastebin.
This ransom note has since been removed from Pastebin, but BleepingComputer has been informed that it has demanded a bitcoin, or roughly $ 45,000, to stop the DDoS attacks.
REvil is the name of a notorious ransomware operation that recently started attacking victims again after they went missing on July 13.
REvil is not known for its DDoS attacks or public ransom demands, like the VoIP.ms. attack. The extortion method of this attack makes us believe that the threat actors are simply masquerading as the ransomware operation to further intimidate VoIP.ms.
Shortly after their original tweet, the threat actors increased their extortion request to 100 bitcoins, or roughly $ 4.3 million.
Customer responses to the attack on VoIP.ms have been mixed.
Some believe that VoIP.ms should pay the ransom to restore the services before they themselves lose customers. At the same time, other VoIP.ms customers pledge to stay with them and tell the company not to give in to the ransom demand.
BleepingComputer contacted VoIP.ms with questions regarding the attack but did not receive a response.