Revil Ransomware

Got a message from my client indicating that a site using Cloudflare is being used for the Revil Ransomware (my sites aren’t infected), and as a result they have blocked the IP 172.64.80.1, so anyone being routed through that IP by Cloudflare is currently being blocked by their corporate firewall. This blocking was mandated by the Ministry of Education in Ontario (Canada), so I assume I am probably not the only one who is affected. I emailed support, but it look like they might not care because my account is on a free plan (basically got an email referring me here). Thought someone might want to know. Hopefully someone here can escalate. Looks like the Cloudflare IP is in Kansas if that helps at all.

You should enable IUAM immediately! (Do that now)

Also do NOT accept the payment (if you do so they know they’ve found a target!)

I’m not under attack. The IP looks to be a Cloludflare data centre IP - if they are under attack, I assume this is a huge issue.

Counter it via a firewall rule (allow it or allow it to bypass)

Oh, ok

Then how did “they” block the IP?

What’s the domain?

The blocked all incoming requests from that IP, so anyone being routed through the Cloudflare data centre in Kansas is being blocked. If users clear their DNS cache and end up being routed through somewhere else, they are able to access the site.

So what’s the issue?

Like I mentioned allow the IP via a firewall rule (or allow it to bypass)

It sounds like your goal is to shut them down. And rightfully so.

Cloudflare is not a web host and has no control over the content that is displayed on a website. If you feel that a site is engaging in illegal or inappropriate activities, you can submit an abuse report, at Cloudflare Abuse Form | Cloudflare. The Trust and Safety team will then review the details and reply if appropriate. You can also report the site to your relevant local authorities. Complaints cannot be filed via this forum.

3 Likes

I think that he is trying to point out that a major ISP/Center has blocked a set of CF ips as they were endpoints of ransomware. Which honestly is rather silly when they can just block the domain and all the fallback domains the binary has.

2 Likes

The issue is that I can’t control where people are being routed from - that’s a Cloudflare thing. The provincial government here sent out a notice to have IT staff from all departments mitigate this, so if there are a bunch of IT departments blocking the IP, I thought Cloudflare should know about it to prevent it. I could impact a lot of users.

That’s certainly a common overkill approach, but the root cause is a bad actor using Cloudflare.

Cloudflare really doesn’t control this, either. ISPs control routing.

You nailed it. I agree it seems extreme, but it’s a government notice, so I doubt there is a lot I can do to change their minds. Hoping someone at Cloudflare will see this, and be able to offer some assistance.

Exactly. I left a list of sites that had been identified (from the notice) in the ticket I created. Since I am on a free account, I’m not sure they will ever get to it.

The ticket system isn’t handled by Trust and Safety. Unless you mean “abuse form” instead of Ticket. In which case, that’s as much as you can do.

1 Like

Thanks for the suggestion - I didn’t realize there was a separate form. Will look for the “abuse form”.

1 Like

I don’t think that Cloudflare has much to do here, instead, the provincial government shall look into taking better measures against ransomware.
The IP to which a malware connects can change anytime, in fact, a proper malware runs through fast-flu () x DNS https://en.wikipedia.org/wiki/Fast_fl()ux (remove the () for the URL to work)).
The measures they have taken are not just poor (affecting legitimate businesses and customers) but weak because it has zero guarantees of stopping the attack.