Threat actors are continually innovating and rethinking their attack patterns \u2013 as well as who they target with attacks. This is clearly seen in their targeting of \u00a0Voice over Internet Protocol (VoIP) providers, as highlighted in\u00a0NETSCOUT\u2019s 2H 2021 Threat Report. Why target VoIP providers? The short answer is financial gain. Attackers know bringing down VoIP providers that service a large number of customers causes a lot of pain and therefore is ripe for extortion.Cyber attackers launched three worldwide distributed denial-of-service (DDoS) extortion attack campaigns in 2021 \u2013 a startling new achievement carried out by a REvil copycat, Lazarus Bear Armada (LBA), and Fancy Lazarus. But threat actors did more than simply increase such global attacks.They also focused attention on targets they\u2019ve seemingly ignored in the past, as evidenced by attacks against VoIP providers. In one case, a DDoS extortion attack carried out by the REvil copycat resulted in an estimated revenue loss of several million dollars for the VoIP provider.Initially, retail and wholesale VoIP providers based in the UK were the targets of the campaign. This was followed by attacks launched against VoIP operators in Western Europe and North America. The massive impact of the attack was revealed when a single VoIP wholesaler filed a form with the US Securities and Exchange Commission (SEC) estimating the total cost of the DDoS attack at between $9 million - $12 million.But attackers didn\u2019t stop there. Several VoIP providers from around the globe were taken offline as a result of DDoS extortion campaigns. To gain more insight into these attacks, it\u2019s helpful to know that VoIP providers and their infrastructure fall under two primary verticals as defined by North American Industry Classification System codes: all other telecommunications, and data processing hosting and related services (cloud computing).VoIP providers that fall under the \u201call other telecommunications\u201d code experienced a 93% increase in attacks from the first half of \u00a02021. Meanwhile, there was a marked increase in attacks against VoIP providers that fall under the \u201cdata processing hosting and related services\u201d code \u2013 especially those located in EMEA. Indeed, VoIP providers in the \u201cdata processing hosting and related services\u201d category were the top target in EMEA for the second half of \u00a02021.In several cases, including those listed below, VoIP providers publicly acknowledged the attacks.The CEO of\u00a0bandwidth.com issued a statement\u00a0in September 2021 in which he acknowledged \u00a0the company had been targeted with rolling DDoS attacks. \u201cWhile we have mitigated much intended harm, we know some of you have been significantly impacted by this event."Bleeping Computer reported in September 2021 that VoIP provider\u00a0VoIP.ms had been hit by a DDoS attack\u00a0that targeted its DNS name servers. The attack disrupted telephony services, including loss of service, dropped calls, poor performance, and the inability to forward lines. A threat actor claiming to be REvil claimed responsibility and reportedly said the attack could be stopped for one bitcoin, or the equivalent of $45,000.ZDNet reported that\u00a0UK.-based Voip Unlimited also was hit with a DDoS attack\u00a0in September by a group claiming to be REvil. Voip Unlimited\u2019s CEO said the company had been hit with an alarmingly large and sophisticated DDoS attack attached to a \u201ccolossal ransom demand,\u201d resulting in the intermittent or total loss of services.Access the\u00a0full interactive 2H 2021 Threat Report\u00a0to learn more about how attackers are changing strategies to bring down VoIP providers.