Entrust is accused by LockBit of being behind the cyberattack. If such were the case, a genuine security firm would never retaliate by conducting a DDoS assault against criminals.
Following a DDoS attack that knocked the LockBit ransomware gang offline for several days, the group has claimed that it will pursue more aggressive methods while aggressively recruiting new members.
In a tweet revealing its new tactic, the gang states that it would now assault its victims using a triple extortion model, which is based on the popular double extortion method.
Triple extortion ransomware is a relatively new approach that threatens the victim or their customers with a DDoS attack in order to force them to pay. This is an outgrowth of the so-called double-extortion ransomware, in which hackers not only encrypt but also take data from compromised systems.
Triple extortion is uncommon, although it has been attributed to assaults by the now-defunct REvil gang, which was notorious for employing unconventional techniques in its campaigns.
In addition to triple extortion, LockBit claimed that it will begin inserting unique and random payment URLs in each ransom note, making it more difficult for countermeasures such as DDoS assaults to damage the threat actor’s payment site.
On Friday, August 19, shortly after LockBit revealed what looked to be hacked data concerning cybersecurity firm Entrust, security experts noticed that LockBit’s website was being exposed to a DDoS assault.
Azim Shukuhi, a security researcher, tweeted on Sunday that the ransomware group was rejecting 400 requests per second from over 1,000 servers. Shukuhi also claimed that at the same time, the AlphV/BlackCat ransomware gang was attacked in a similar attack, but that their website was swiftly restored. It is yet uncertain whether the assaults are linked.
In an interview with malware research company VX-Underground, a LockBit support worker accused Entrust of being behind the hack against it. LockBit supplied a snapshot of the attack in operation, displaying requests with a strongly worded comment in the browser’s user agent field asking LockBit to erase Entrust data.
If Entrust was responsible for the LockBit assault, it would be the first time a cybersecurity firm launched an offensive security operation against a ransomware group. The LockBit leak site was unreachable at the time of publishing. Entrust has not verified whether it is responsible for the LockBit attack.
Entrust declared a cyberattack on the firm in late June 2022, but would not say if it was ransomware or not.
A LockBit customer service representative allegedly revealed screenshots of post-attack conversations between the ransomware organization and Entrust.
Conversations with researcher Soufiane Tahiri stretch back to June 29, 2022, with the ransom first set at $8 million but then dropped to $6.8 million. Dominic Alvieri, another security researcher, discovered and tweeted a message sent by Entrust to its clients on July 6 notifying them of the original June 18 assault.
“I believe the firm intended to stay quiet during the discussions in order to rapidly reach an agreement after informing customers.” After the hacking attack was discovered, they just stopped negotiating,” Alvieri explained.
LockBit says that Entrust is behind the assault; nevertheless, Entrust, as a reputable cybersecurity firm, is unlikely to ever acknowledge to conducting offensive security operations. DDoS assaults, although being rather prevalent in cybersecurity, are illegal, and it is doubtful that a corporation of Entrust’s repute would acknowledge to carrying out an unlawful attack.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
