Bandwidth.com CLEC LLC, a provider of voice over internet protocol or VoIP services, continues to suffer from a distributed denial-of-service attack that has caused outages to its services.

The attack began Sept. 25 and affected voice, messaging, Enhance 911 services and access to its portal. Since Bandwidth.com is also a wholesale provider to other VoIP providers, the DDoS attack has also affected services offered by Twilio Inc., Accent Communications Services Inc., DialPad Inc., Phone.com Inc. and RingCentral Inc.

As of 9:30 p.m. EDT, Bandwidth.com lists partial outages across both inbound and outbound calling services.

Bandwidth.com Chief Executive Officer David Morken confirmed the DDoS attack in a message to customers and partners today, saying that “while we have mitigated much-intended harm, we know some of you have been significantly impacted by this event. For that, I am truly sorry.”

Who is behind the DDoS attack is not known. That said, Bandwidth.com is not the first VoIP provider targeted in a DDoS attack in recent months. In early September, two U.K. providers, VoIP Unlimited and Voipfone, were targeted, while in mid-September, Canadian provider VoIP.ms was also attacked. In both cases, those behind the attacks demanded ransom payments to cease targeting the companies.

Bleeping Computer reported that the case of VoIP.ms involved threat actors impersonating the ransomware group REvil. The ransom demanded started at one bitcoin ($41,384), then escalated to 100 bitcoins ($4.138 million).

“DDoS attacks and related extortion is nothing new to the internet and has been occurring for years; however, as more services are consolidated with single providers, the impact is far greater than if attacking a single organization in the same way,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “By using the name and reputation of the REvil ransomware group in the DDoS extortion demands, the attackers are likely trying to look more menacing than they really are.”

Chris Clements, vice presidents of solutions architecture at cybersecurity company Cerberus Cyber Sentinel Corp., noted that a DDoS attack that would otherwise introduce a noticeable but manageable delay in service for many organizations, say half a second up to a second, can make a low-latency provider like VoIP or online gaming effectively unusable.

“The second type of organization that can face inordinate damages from such an attack are those that have embraced the cloud for scalable services,” Clements added. “Scalable services are great for ‘rightsizing’ computing power to varying demand, but an organization leveraging this can find itself facing an astronomical bill from its provider if hit by a major DDoS attack.”

Image: Bandwidth