2 min

Tags in this article

, , ,

Turnabout is fair play as the attackers find themselves under attack.

The LockBit ransomware group’s data leak sites have been shut down over the weekend due to a DDoS attacker telling them to remove Entrust’s allegedly stolen data, according to BleepingComputer.

In late July, digital security giant Entrust fell victim to a cyberattack. The organization disclosed that threat actors had stolen data from its network during an intrusion in June. At the time, BleepingComputer was told by sources that it was a ransomware attack, although we could not independently confirm the group behind it.

Last week, LockBit claimed responsibility for the attack and began leaking data on August 19, according to the report. The leak consisted of 30 screenshots of data allegedly stolen from Entrust, including legal documents, marketing spreadsheets and accounting data.

Counterattack

Soon after LockBit started leaking data, researchers began reporting that the ransomware gang’s Tor data leak sites were unavailable due to a DDoS attack.

On August 21, security research group VX-Underground learned from LockBitSupp, the public-facing representative of the LockBit ransomware operation, that their Tor sites were under attack by someone they believed to be connected to Entrust.

LockBit’s data leak sites now show a message warning that the ransomware gang plans to upload all of Entrust’s data as a torrent in retaliation to the attack, which will make it near impossible to take down.

LockBitSupp told BleepingComputer that cybersecurity firm Accenture also conducted a similar attack against their data leak sites but was less successful. “The last ones to do this were the Accenture, but they were not very good at it. Entrust were much more successful”, explained LockBitSupp.

Questions surround the identity of the attackers

Security researchers are unsure who is attacking LockBit, with some saying that it would be unprecedented for a cybersecurity company to conduct attacks like these. It’s currently unclear if Entrust, a rival threat actor, or an affiliated cybersecurity company is taking advantage of the situation by attacking the ransomware group.

“I believe this is somehow backed by Entrust at the moment but not another group attacking both”, security researcher Dominic Alvieri told BleepingComputer. “The only group with an interest in attacking both would be the feds or other government entities.”