LockBit ransomware gang has announced that it is improving defenses against Distributed Denial-of-Service (DDoS) attacks and is working to take the operation to a triple level of extortion.
The gang recently faced a DDoS attack, allegedly on behalf of digital security giant Entrust, which blocked access to data posted on the leak site.
Entrust data was stolen by LockBit ransomware in a June 18 attack, according to a source from BleepingComputer. The company confirmed the incident and that the data had been stolen.
Entrust did not pay the ransom and LockBit announced that it would publish all the stolen data on August 19th. However, this did not happen as the gang’s leak site was hit by a DDoS attack believed to be linked to Entrust.
LockBit is available in DDoS
Earlier this week, LockBitSupp, the public face of the LockBit ransomware operation, announced that the group is back in business with greater infrastructure to allow access to leaks undisturbed by DDoS attacks.
Last weekend’s DDoS attack, which temporarily halted Entrust data leaks, was seen as an opportunity to examine the triple racketeering tactic to put more pressure on victims to pay a ransom.
LockBitSupp said the ransomware operator is now trying to add DDoS as an extortion tactic on top of encryption and data sharing.
“I’m looking for Dudosers [DDoSers] in the team, most likely now we will attack targets and deploy triple blackmail, encryption + data leak + dudos because I felt the power of dudos and how it animates and renders life more interesting.’ wrote LockBitSupp in a post on a hacker forum. Entrust the data leak
The gang also pledged to torrent 300GB of stolen data to Entrust so “the whole world knows your secrets”.
The LockBit spokesperson said they would privately share the leaked Entrust data with anyone who contacts them before torrenting it.
It looks like LockBit kept their promise and released a torrent called “entrust.com” with 343GB of files over the weekend.
The operators wanted to ensure that Entrust’s data was available from multiple sources, and not only did they publish it on their website, but they also shared the torrent via at least two file storage services, including one made it unavailable.
One method already implemented to prevent further DDoS attacks is to use unique links in ransom notes for victims.
“The link randomization feature in locker notes has already been implemented, each version of the locker will have a unique link that the dudoser [DDoSer] will not be able to detect,” LockBitSupp wrote.
They also announced an increase in the number of mirrors and duplicate servers, and a plan to increase the availability of stolen data by making it accessible on Clearnet via an armored storage service.
LockBit ransomware operation has been active for almost three years, since September 2019. At the time of writing, LockBit’s data leak site is up and running.
The gang is listing more than 700 victims and Entrust is one of them, with data for the company leaked on August 27.