Cyber Incident Victim: VoIP.ms

On September 16, 2021, VoIP.ms, a global provider of voice-over-IP services, experienced a distributed denial-of-service (DDoS) attack targeting its infrastructure, including DNS name servers. The attack disrupted telephony services for customers who relied on the company’s domain name for configuring VoIP equipment, preventing them from making or receiving calls. In response to DNS failures, VoIP.ms advised customers to modify their HOSTS files to bypass DNS resolution by pointing directly to the company’s IP address. This mitigation strategy proved ineffective, as threat actors subsequently redirected DDoS attacks toward the IP address itself. VoIP.ms transitioned its website and DNS servers to Cloudflare to counter the assaults, achieving partial success, though service interruptions persisted due to ongoing attacks. By September 20, customers continued reporting operational issues, including dropped calls, service outages, performance degradation, and failures in call forwarding.

On September 18, a threat actor using the name “REvil” claimed responsibility for the attack and linked to a Pastebin ransom note demanding one bitcoin (approximately $45,000 at the time) to halt the DDoS campaign. The note was later removed from Pastebin. The attackers subsequently escalated their demand to 100 bitcoins (roughly $4.3 million). Security analysts noted REvil’s lack of historical association with DDoS extortion, suggesting the attackers were impersonating the ransomware group to intensify pressure on VoIP.ms. Customer reactions diverged, with some urging the company to pay the ransom to restore services and prevent further client losses, while others advocated against capitulation. VoIP.ms maintained public updates acknowledging the attack’s persistence and its team’s mitigation efforts but did not disclose whether ransom negotiations occurred. Service disruptions remained unresolved as of the latest reporting date.