The LockBit ransomware gang’s data leak website has been taken offline through a DDoS attack (distributed denial of service attack). The attack seems to respond to the group’s exposure of data stolen from security firm Entrust.

Entrust Breach Details

Security firm Entrust was targeted in a cyberattack on 18 June 2022. The firm notified its customers regarding the data breach on July 6th. The intrusion was publicly disclosed on 21 July after a security researcher accessed a copy of the company’s data breach notification sent to its customers. A ransomware attack was suspected of targeting Entrust, but the operators weren’t named.

On August 18th, the LockBit ransomware gang took responsibility for Entrust data breach. It threatened the firm to leak the entire trove of data, approximately 30GB if the company refused to pay the ransom within 24 hours.

Per researcher Soufiane Tahiri, who accessed a copy of the communication between the LockBit gang and Entrust, the attackers initially demanded $8 million in ransom. They later reduced it to $6.8 million, while Entrust claimed it could only pay $1 million.

Chatlogs between LockBit ransomware gang and Entrust (Image: Soufiane Tahiri)

DDoS Attack Details

As soon as LockBit ransomware operators started publishing data stolen from Entrust, their Tor-based leak site received a DDoS attack. Cisco Talos researcher Azim Shukuhi revealed that the LockBit group claimed to receive 400 requests per second from over 1,000 servers.

The requests included a string forcing the ransomware operators to delete the data. It is currently unclear who launched this DDoS attack. Their website (LockBit 3.0) is currently offline.

According to LockBit, Entrust is responsible for DDoSing its website, but the company is least likely to admit it even if it is actually involved because of being a legit cybersecurity-oriented firm. It could also be the work of a rival ransomware group that wanted to target LockBit operators and blame Entrust.

LockBit Ransomware Operators' Website Hit By DDoS for Exposing Entrust Data
LockBit’s website at the time of publishing this article

LockBit Operators Hit Back After Website Taken Offline

The gang has vowed to employ aggressive tactics in retaliation to a DDoS attack on its website. In a tweet, the group claimed it would attack its targets with a triple extortion model instead of their previously preferred double extortion model. The group announced that it is recruiting new members as part of its modified strategy.

For your information, triple extortion is a recently devised method to target victims. This technique was recently used in attacks by the REvil group. This method adds an additional layer of threat, such as a DDoS attack against the victim to force them to pay.

Conversely, in the double extortion technique, hackers steal data and encrypt it on their targeted device before asking for ransom. Additionally, LockBit will start including randomized payment links in its ransom notes to make it difficult for countering tactics like DDoS to affect their payment site.

  1. Google Fended Off Largest Ever Layer 7 DDoS Attack
  2. Fake Cloudflare DDoS protection popups distribute malware
  3. Cyber Security Giant Mandiant Denies Hacking Claims By LockBit
  4. Universal decryptor key for Sodinokibi, REvil ransomware released
  5. Husband and wife among ransomware operators arrested in Ukraine