LockBit gang hit by DDoS attack following Entrust data hack

LockBit was hit by a DDoS attack within a day after taking responsibility for the Entrust hack, creating a leak page for the vendor and threatening to release all the data it had stolen if the company did not pay the demanded ransom. The hacking gang which uses a ransomware-as-a-service (RaaS) operating model, indicated Entrust had yet to bend to LockBit's demands.

The LockBit gang, whose malware of the same name was first detected in 2019, has become one of the more prolific threat groups in the growing and evolving ransomware scenes.

DDoS campaigns are designed to overwhelm websites with a flood of internet traffic or messages in order to disrupt the site's normal operations. It appears to be working, with reports saying that LockBit's leak site has been up and down.

A tweet by Azim Shukuhi, a cyber security researcher with Cisco's Talos threat intelligence group, was the first indicator that LockBit had been hit by a DDoS attack.

"Someone is DDoSing the Lockbit blog hard right now," Shukuhi's tweet stated.

According to LockBitSupp, the public face of LockBit that interacts with companies and cyber security researchers, the group's data leak site was getting 400 requests a second from more than 1,000 servers. The LockBit spokesperson added that the group promises to add more resources to the site and to "drain the ddosers money".

In another tweet, Vx-underground, which collects malware source code and samples, explained that LockBit told them they were under a DDoS attack because of the Entrust hit. LockBit sent a screenshot of the messages coming in, to Vx-underground, all of which referenced entrust.com, when asked how the ransomware gang knew it was because of the Entrust "attack-back".

In June, LockBit released the latest version of its ransomware, LockBit 3.0. The latest iteration included a bug bounty program, with the group offering rewards from $1,000 to $1 million to individuals who offer exploits, personal data on potential victims, information on high-value targets, or ideas for improving the gang's operations.

VIEW ALL

The release of LockBit 3.0 could fuel more ransomware attacks in the third quarter, according to security researchers, as did the launch of an improved version in 2021.

"The new features could also inspire other groups to follow in their footsteps, depending on the success of their new offerings," researchers added.

The hacking group also created new dark web sites for LockBit 3.0 and is now accepting Zcash cryptocurrency for payment. The group also added a feature that enables anyone can now buy the stolen data and allow victims to pay the group to destroy the data or to extend the deadline for paying the ransom.

Entrust's customers include a range of US government agencies, including the Department of Homeland Security, the Treasury Department, and the Department of Energy. Insurance and financial companies as well as tech firms like VMware and Microsoft are also part of Entrust's broad clientele.

On June 18, Entrust was hit by a ransomware attack and began notifying customers in early July.

In a letter to customers, Todd Wilkinson, Entrust president and CEO wrote that "an unauthorised party accessed certain [parts] of our systems used for internal operations."

Wilkinson outlined that "some files were taken from internal systems that it didn't seem that the attack affected the operation or security of its products or services". However the letter was not clear about whether the pilfered files were related to Entrust or any of its customers.

The identity management and authentication company confirmed that it had notified law enforcement and began working with another cyber security vendor. At the time, the Entrust stated that those products and services are run in separate and air-gapped environments from its internal systems.

The CEO added that the investigation was ongoing but that the vendor had found "no evidence of ongoing authorised access to our systems and are implementing additional safeguards to help enhance our security".

Global cyber and software resilience company, the NCC Group has reported the number of supply chain cyber attacks jumped 51 per cent year-over-year in the last half of 2021.

According to data by cyber security vendor Digital Shadows, they found that LockBit accounted for 32.77 per cent of all incidents in the second quarter, where victim organisations were posted to ransomware leak sites. LockBit also had a 13.8 per cent quarter-over-quarter increase in the number of victim organisations listed on its leak sites, according to Digital Shadows.

LockBit is an example of an ongoing shift in ransomware, away from simply encrypting a victim company's data and demanding payment in return for a decryption key and toward simply exfiltrating data files and threatening to publicly post them on leak sites unless the ransom is paid.

The attack on Entrust is part of a growing trend of online threats against third-party suppliers. According to security researchers, cyber criminals see such supply chain attacks as an easy way to reach large numbers of potential victims through the third-party vendors they use.

[Related: Motorola awarded $60m to bolster NSW state emergency cyber security network]