The infamous REvil ransomware gang recently announced that it is planning to test a new tactic in its malicious operations.

The new strategy will see the REvil Gang, also known as Sodinokibi, employ Distributed Denial of Service (DDoS) attacks combined with voice calls to members of the press and their victim’s associated business partners, in order to drive ransom payments.


The ransomware outfit is currently classified as a ransomware-as-a-service (RaaS) operation that develops and designs both the malware and dedicated payment site used in attacks, while its known affiliates compromise targeted networks and deliver ransomware payloads.

For their role in the insidious dealings, REvil ransomware gang developers can expect to earn somewhere between 20% to 30% of paid ransoms, while their affiliates take the lion’s share of around 70% to 80%.

To drive their carefully selected victims into making the requested payment, ransomware groups have been increasingly adopting a double-extortion approach. This involves attackers not only encrypting files and locking out access but also stealing confidential data files and threatening to disclose them should a ransom not be paid.

New weapons in the ransomware arsenal

Back in February, investigations revealed that the REvil ransomware gang were advertising for new talent. The malicious operators posted an employment notice on a hacker forum stating they were seeking to recruit individuals willing to execute DDoS attacks and employ Voice over Internet Protocol (VoIP) calls in order to contact both victims and their associated partners.

Following this advertisement on the dark web, 3xp0rt, a known cybersecurity researcher, uncovered that the REvil ransomware gang had announced that it was introducing new strategies and that these could be employed by its known affiliates to leverage further pressure on selected victims.

The new tactics are set to involve a free of charge service where affiliated partners, or the threat actors themselves, will be able to perform voice-scrambled VoIP calls to both international journalists and business partners of the victim, informing them of details regarding the attack.

The infamous ransomware outfit is most likely working on the assumption that if enterprises are warned of the possibility of their confidential data being disclosed via an assault on one of their business partners, this will add even greater pressure for a victim to give in and pay.

The ransomware operators are also offering a fully paid service that enables their affiliates to execute Layer 7 and Layer 3 DDoS attacks on an enterprise for optimum pressure.

Layer 3 attacks are typically employed to rip down a firm’s internet connection. However, threat actors usually use a Layer 7 type attack to pull down an application that is publicly accessible, like a web server, for example.

Last October, ransomware gangs Ragnar Locker and SunCrypt started to utilise DDoS attacks against their targets for added pressure to force them to make payments, while January this year saw the Avaddon ransomware group employing the same strategy. Nonetheless, the tactic of contacting a victim’s business partners represents a new string to the ransomware bow.