Ransomware gang LockBit says it has been hit with a distributed denial of service (DDoS) attack, which appears to have knocked its leak site offline. The attack comes after the gang claimed responsibility for a hack on security giant Entrust earlier this year.
The DDoS attack on LockBit’s darkweb server, which hosts leaks from companies the gang has attacked, began yesterday, and according to security researcher Azim Shukuhi, of Cisco Talos, the gang has been receiving “400 requests a second from over 1,000 servers”.
someone is DDoSing the Lockbit blog hard right now. I asked LockBitSupp about it and they claim that they’re getting 400 requests a second from over 1000 servers. As of this writing, the attack appears to be active. Lockbit promised more resources & to “drain the ddosers money” pic.twitter.com/NAB416k30l
— Azim Shukuhi (@AShukuhi) August 21, 2022
The perpetrator of the DDoS attack is unknown, and though LockBit’s server was briefly back online earlier today, at the time of writing, it remains down.
Why is LockBit experiencing a DDoS attack?
Thought to be based in Russia, LockBit is now in its third incarnation, known as LockBit 3.0, having undergone several rebrands since it was first spotted in 2019.
It has been one of the most active ransomware groups this year, according to a report from Digital Shadows, which says it accounted for 32.88% of all incidents involving data being posted to ransomware leak sites in Q2, with 231 victims.
Recent victims have included French mobile phone network La Poste Mobile, and electronics manufacturer Foxconn, and on Friday the gang said it was behind the June attack on Entrust, which provides digital identity and security services to businesses, and it said it planned to publish all stolen data online. Over the weekend, it began to leak information purportedly from the breach, and this seems to have triggered the DDoS attack which has taken down the group’s platform.
Break in the LockBit DDoS attack and caught the site with the adjusted post.
— Dominic Alvieri (@AlvieriD) August 22, 2022
-leak site offline again
-post showing Entrust published
-again unable to obtain Entrust file@Entrust_Corp #LockBit #cybersecurity #infosec@BleepinComputer @TheRegister https://t.co/2omx5NEchj pic.twitter.com/GY1WcbjH9V
Data seen on the leak site before it went offline appeared to consist of accounting and legal documents and marketing spreadsheets from Entrust.
What happened in the Entrust ransomware attack?
As reported by Tech Monitor, Entrust, which provides digital ID services to tens of thousands of companies around the world, admitted a breach of its systems which began in June. At the time, Yelisey Boguslavskiy, head of threat research at security company AdvIntel, said the incident was likely to be the work of a “top tier” hacking gang.
Though it admitted the incident took place, Entrust said it had “found no indication to date that the issue has affected the operation or security of our products and services, which are run in separate, air-gapped environments from our internal systems”, but said it was working with a cybersecurity vendor and law enforcement agencies to investigate further.
LockBit is threatening to leak the entirety of the stolen data, suggesting any ransom demand made of Entrust has not been paid. Tech Monitor has contacted Entrust for comment.
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.
Read more: LockBit claims Mandiant hack to distance itself from Evil Corp
Homepage digital identity image courtesy anyaberkut/iStock
