Karma Calling: LockBit Disrupted After Leaking Entrust FilesRansomware Group's Site Hit by Days-Long Distributed-Denial-of-Service Attack
Ransomware karma: The notorious LockBit 3.0 ransomware gang's site has been disrupted via a days-long distributed-denial-of-service attack.
LockBit's site has been inaccessible for several days, with administrator "LockBitSUpp" blaming a DDoS attack, Azim Shukuhi, a security researcher at Cisco Talos, reported Friday. "I asked LockBitSupp about it and they claim that they're getting 400 requests a second from over 1,000 servers," he says.
"We all know these sites are MacGyvered together with bailing wire and toothpicks and are rickety as hell."
As of Tuesday, visitors to LockBit's Tor-based site were still seeing only a page with a header that reads "LockBit Anti-DDoS" and contains a simple text message: "Does anyone know a good torrent tracker where I can upload greedy entrust.com com files? Please write to tox," and lists an address for the Tox peer-to-peer messaging app, which includes end-to-end encryption.
LockBit strongly suspects the DDoS attack traces to its breach of Entrust, based on what appears to be a reverse-proxy server log.
Lockbit: "We're being DDoS'd because of the Entrust hack"
vx-underground: "How do you know it's because of the Entrust breach?"
Lockbit: pic.twitter.com/HUO2hdTbwz— vx-underground (@vxunderground) August 21, 2022
Based in Shakopee, Minnesota, privately held Entrust is a major security provider, supplying both software and hardware that gets used to issue payment cards, create passport and provide user authentication. Numerous governments and financial services firms are customers of the company, which reports having customers across 150 countries.
The company didn't respond to a request for comment about whether it had any role in the DDoS attack.
News of LockBit's ransomware attack on Entrust was first reported by Bleeping Computer on July 22. By last week, it said LockBit was leaking stolen Entrust data.
In a letter to customers dated July 6, Entrust reported that the attack occurred on June 18 and that "we have been working tirelessly to remediate this situation since that moment." The company said it didn't expect the attack to impact "the operation or security of our products and services," but said that some files had been stolen.
No mention of the incident appears to be present on Entrust's site.
Who's Disrupting LockBit?
If Entrust should be behind the LockBit site disruption, then "Entrust is doing Unisys, Bandai Namco and others a pretty big fav," says cybersecurity researcher Dominic Alvieri, referring to other organizations the group has recently claimed as victims, threatening to leak their stolen data.
Perhaps, but one result could also be that ransomware victims hoping to negotiate with LockBit and obtain a decryptor might not be able to pay the group. On the other hand, ransom notes often leave multiple contact points for a gang, and the Tox address is certainly one obvious way to contact the group and conduct negotiations.
Ransomware incident response firm Coveware reports that based on thousands of cases it helped investigate from April though June, LockBit accounted for 13% of known victims, second only to BlackCat, with 17% market share.
The disruption of a site run by supposed cybercrime masterminds is a reminder that LockBit and their ilk aren't cybersecurity gods (see: Comedy of Errors: Ransomware Group Extorts Wrong Victim).
On the other hand, LockBit has differentiated itself from rivals based on its technical acumen, at least when it comes to crypto-locking malware (see: Keys to LockBit's Success: Self-Promotion, Technical Acumen).
Given the damage and disruption being caused by LockBit and other ransomware groups, one obvious question is why these gangs aren't being disrupted with greater frequency, says Allan Liska, principal intelligence analyst at Recorded Future.
"We all know these sites are MacGyvered together with bailing wire and toothpicks and are rickety as hell. We should do stuff like this to impose cost on them," Liska says (see: Unexpected Pairings: Wine Tasting and Threat Intelligence).
Some members of the information security community prefer stronger measures, of the "Aliens" protagonist Ripley variety. "I always say: go kinetic and solve the problem permanently," says Ian Thornton-Trump, CISO of Cyjax.
"Attribution is for the lawyers. I recommend a strike from orbit, it's the only way to be sure," he says (see: Russia's Cyberattack Strategy: Precision, Not Spillover).
Another explanation for the attack would be one or more governments opting to "impose costs" on the ransomware gang, say Brett Callow, a threat analyst at Emsisoft.
As he notes, the imposing-costs phrase is a direct quote from Gen. Paul M. Nakasone, the head of Cyber Command, who last year told The New York Times that the military has been tasked with not just helping law enforcement track ransomware groups, but also to disrupt them (see: 'We're Hitting Ransomware Groups,' US and Allies Confirm).
Time is money for criminals, and disrupting their illicit enterprise is indeed one way to impose costs. Given the legal risks a private U.S. company would face if it ran a DDoS attack of any kind, against anyone, the involvement of U.S. Cyber Command, another government that uses Entrust products, or simply a security researcher or prankster, seem like more likely possibilities.