Highlights:

  • Bleeping Computer claimed that the leak site was taken offline over the weekend in a DDoS assault and that LockBit had received a message instructing it that the attack would cease if it erased data stolen from Entrust.
  • Entrust did not disclose the form of the June attack. It was believed that a ransomware attack was likely involved, and, as it turned out, the LockBit ransomware gang claimed credit for the attack.

A widespread denial-of-service attack has shut down notorious ransomware group LockBit’s data leaks site, and the gang has blamed Entrust Corp. for the attack.

It has been reported that the leak site was taken offline over the weekend in a DDoS attack and that LockBit had received a message that the attack would cease if it erased data stolen from Entrust. The message was sent to LockBit.

Entrust, a business that counts Microsoft Corporation and VMware Inc. as clients, was the victim of a cyberattack in June, and on July 28 of that same year, the company disclosed that data had been taken from them. According to Entrust, the attack consisted of an unauthorized party gaining access to specific systems utilized for internal activities without appropriate authorization. Despite this, the hack did not compromise the company’s solutions in the areas of identity and access management, identification and passport issuing, payments, cloud security, and data processing.

Entrust did not disclose any information on the issue that occurred in June. During that time, there were rumors that an attack using ransomware could have been involved. As it turned out, the LockBit ransomware gang claimed credit for the attack.

Azim Shukuhi, a cybersecurity researcher working for Cisco Systems Inc.’s Talos threat intelligence department, gave data about the attack on LockBit through Twitter. The DDoS attack on LockBit was discovered for the first time on Saturday night.

Doubts abound about the timing of the incident. On Friday evening, LockBit began disclosing data it had illegally obtained from Entrust. The initial leak contained 30 images of material that had reportedly been taken from Entrust. This data included legal documents, marketing spreadsheets, and accounting information.

A spokeswoman for LockBit also supplied a screenshot of the attack, which included data packets with a message instructing the user to erase the stolen data, followed by an expletive at the end of the message.

Accenture plc and Bangkok Airways public company limited were also victims of previous LockBit attacks. Typically, the group frequently engages in double-tap ransomware assaults, which entails encryption of data and the threat to disclose stolen data if a ransom is not paid in exchange for decryption keys.

While it’s not clear if a ransom payment was demanded from Entrust but assuming one was, LockBit’s decision to start publishing the stolen data is proof that Entrust did not pay the requested amount.

Previous victims of LockBit have been asked to pay ransoms of up to USD 50 million in cryptocurrencies.

An attack on a cybersecurity organization is never a good look, and Entrust’s delay in announcing the attack contributed to the poor news. Entrust has every reason to be upset over being attacked, but nobody will shed a tear over LockBit being attacked right now. Entrust has every right to be outraged. However, suppose it is behind the DDoS attack, as LockBit alleges. In that case, it does raise ethical considerations as to whether a cybersecurity company should be using DDoS attacks in retaliation for a breach, let alone whether doing so is legal. This is in addition to whether or not doing so is even allowed.