The LockBit ransomware group last week claimed responsibility for an attack on cybersecurity vendor in June. The high-profile gang is now apparently under a distributed denial-of-service (DDoS) because of it.
Azim Shukuhi, a cybersecurity researcher with Cisco’s Talos threat intelligence group, wrote in a tweet over the weekend that “someone is DDoSing the Lockbit blog hard right now.”
LockBitSupp, the public face of LockBit that interacts with companies and cybersecurity researchers, told Shukuhi that the group’s data leak site was getting 400 requests a second from more than 1,000 servers and that the group promised to add more resources to the site and to “drain the ddosers money,” he wrote.
Vx-underground, which collects malware source code and samples, wrote in a tweet that LockBit told them they were under a DDoS attack because of the Entrust hit. When Vx-underground asked how the ransomware gang knew it was because of the Entrust attack, LockBit sent a screenshot of the messages coming in, all of which referenced enstrust.com.
DDoS campaigns are designed to disrupt the normal operations of a website by overwhelming it with a flood of internet traffic or messages. It appears to be working, with reports saying that LockBit’s leak site has been up and down.
The DDoS attack came within a day after LockBit, which uses a ransomware-as-a-service (RaaS) operating model, took responsibility for the Entrust attack, creating a leak page for the vendor and threatening to release all the data it had stolen if the company did not pay the demanded ransom. The creation of the page indicates that Entrust – if Lockbit was indeed the bad actor as claimed – had yet to bend to LockBit’s demands.
Entrust learned June 18 that it was hit by a ransomware attack and began notifying customers about it in early July. In a letter to customers, Entrust president and CEO Todd Wilkinson wrote that “an unauthorized party accessed certain [parts] of our systems used for internal operations.” Some files were taken from internal systems but Wilkinson wrote that it didn’t seem that the attack affected the operation or security of its products or services.
The letter wasn’t clear about whether the pilfered files were related to Entrust or any of its customers. At the time, the company said that those products and services are run in separate and air-gapped environments from its internal systems.
The identity management and authentication company notified law enforcement and began working with another cybersecurity vendor.
The CEO added that the investigation was ongoing but that the vendor had found “no evidence of ongoing authorized access to our systems and are implementing additional safeguards to help enhance our security.”
Entrust’s customers include a range of US government agencies, including the Department of Homeland Security, the Treasury Department, and the Department of Energy. It also includes insurance and financial companies as well as tech firms like VMware and Microsoft.
The attack on Entrust is part of a growing trend of online threats against third-party suppliers, à la the SolarWinds attack last year. Cybercriminals see such supply chain attacks as an easy way to reach large numbers of potential victims through the third-party vendors they use. The NCC Group said in a report that the number of supply chain cyberattacks jumped 51 percent year-over-year in the last half of 2021.
The LockBit gang, whose malware of the same name was first detected in 2019, has become one of the more prolific threat groups in the growing and evolving ransomware scenes. A report by cybersecurity vendor Digital Shadows found that LockBit in the second quarter accounted for 32.77 percent of all incidents where victim organizations were posted to ransomware leak sites.
LockBit had a 13.8 percent quarter-over-quarter increase in the number of victim organizations listed on its leak sites, according to Digital Shadows.
Most recently LockBit late last month claimed to have stolen 78GB of data from Italy’s tax agency.
In June, the company released the latest version of its ransomware, LockBit 3.0. The latest iteration included a bug bounty program, with the group offering rewards from $1,000 to $1 million to individuals who offer exploits, personal data on potential victims, information on high-value targets, or ideas for improving the gang’s operations.
The group also created new dark web sites for LockBit 3.0 and is now accepting Zcash cryptocurrency for payment. In addition, anyone can now buy the stolen data and allowing victims to pay the group to destroy the data or to extend the deadline for paying the ransom.
The release of LockBit 3.0 could fuel more ransomware attacks in the third quarter, as did the launch of an improved version in 2021. The new features “could also inspire other groups to follow in their footsteps, depending on the success of their new offerings,” researchers wrote.
LockBit is an example of an ongoing shift in ransomware, away from simply encrypting a victim company’s data and demanding payment in return for a decryption key and toward simply exfiltrating data files and threatening to publicly post them on leak sites unless the ransom is paid. ®