After being hit by a DDoS attack (distributed denial of service attack), the notorious LockBit ransomware gang’s data leak website was compromised, following which the hacker group blamed cybersecurity company “Entrust” for the strike as it was previously a victim of an attack initiated by the hacker collective in June 2022.
Sources state that the attack was in retaliation to the hacker group’s recent invasion of the cybersecurity company. However, Entrust did not publicly disclose the actual name of the perpetrator behind the attack.
An attempt at retaliation
I believe the company wanted to keep it quiet during negotiations and quickly settle after notifying customers.
When the cyber incident was exposed they just stopped negotiating. pic.twitter.com/krELtLdRSw
— Dominic Alvieri (@AlvieriD) August 22, 2022
On June 18, 2022, Entrust suffered a cyberattack from an unknown threat actor. The firm notified its users about the blitz in the next month and publicly announced the breach on July 21, 2022. The intrusion was classified as a “ransomware attack,” but the offender’s names were not revealed in the public announcement.
However, on August 8, 2022, the LockBit ransomware gang announced that they were behind the data breach at Entrust. In its claim, the gang confirmed that they threatened the security company to pay a certain ransom amount against the 30GB worth of stolen data that the threat actor promised to leak on the internet.
According to cybersecurity researcher Soufiane Tahiri, who accessed a copy of communication between the two parties — LockBit gang and Entrust, the attacker demanded $8 million in ransom but later reduced it to $6.8 million. However, the security company offered to pay only $1 million.
From the chat log timestamps, the negociations started two months ago (29/06) and for some reason, after offering 1M$ (saving time?), Entrust stopped negociating the 13/07.
FYI:Tha initial ransom was 8M$ than dropped to 6,8M$. pic.twitter.com/vJMSW5oxvW
— Soufiane Tahiri (@S0ufi4n3) August 22, 2022
LockBit’s DDoS attack: what went wrong?
someone is DDoSing the Lockbit blog hard right now. I asked LockBitSupp about it and they claim that they're getting 400 requests a second from over 1000 servers. As of this writing, the attack appears to be active. Lockbit promised more resources & to "drain the ddosers money" pic.twitter.com/NAB416k30l
— Azim Shukuhi (@AShukuhi) August 21, 2022
Since the negotiation for the extortion amount didn’t go as planned, the ransomware gang published small chunks of the stolen data on the internet. As soon as they started the operation, their Tor-based website received a DDoS attack, making the website inaccessible.
Several cybersecurity specialists, including Cisco Talos researcher Azim Shukuhi, received crucial information about the statement that LockBit claimed to have received over 400 requests per second from over 1,000 servers, pressuring the group to delete the stolen data.
However, despite the attack stating the term “Entrust” multiple times, it is still unclear who could have launched the attack as the website (LockBit 3.0) is currently offline.
The LockBit gang has promised to retaliate against the attackers who used DDoS on its website and tweeted that they’ll be using a triple extortion model, a popular strategy used by cybercriminals for extortion, in the next attack, which will be executed after recruiting more members in its gang.
To protect themselves from counterattacks, the hacker group has also announced they will include randomized payment links in its ransom notes so that the victims won’t be able to use DDoS again.