Threat Watch

LockBit Ransomware Group Adopting More Aggressive Strategy

The LockBit ransomware group recently announced that it is improving its distributed denial-of-service (DDoS) attack defenses and are working to take the operation to triple extortion level. The gang recently experienced a DDoS attack, allegedly on behalf of the security firm Entrust, preventing access to the information posted on LockBit’s corporate leaks website. LockBit ransomware attacked Entrust on June 18 and stole data from the company. LockBit declared that it would disclose all the stolen data on August 19 if Entrust did not pay the ransom. This did not happen, as the gang’s leak site was hit by a DDoS attack. LockBitSupp, the public face of the LockBit ransomware gang, declared that the group is operational again with a larger infrastructure to mitigate the impact of DDoS attacks. The previous DDoS attack was seen as a chance to experiment with a triple extortion strategy in order to increase pressure on victims to pay a ransom. According to LockBitSupp, the ransomware operator wants to add DDoS as an additional form of extortion on top of encrypting and leaking data. “I am looking for dudosers [DDoSers] in the team, most likely now we will attack targets and provide triple extortion, encryption + date leak + dudos, because I have felt the power of dudos and how it invigorates and makes life more interesting,” stated LockBitSupp.

ANALYST NOTES

The group promised to release 300GB of Entrust data via torrent so that “the whole world will know your secrets,” and it seems that LockBit kept its promise and recently released 343GB of Entrust’s data. The operators wanted the leaked data to be available from multiple sources, so besides publishing it on their site, they also shared the torrent over at least two file storage services.

One method already implemented to stop further DDoS attacks is the use of special links in the victims’ ransom notes. “The function of randomization of links in the notes of the locker has already been implemented, each build of the locker will have a unique link that the dudoser [DDoSer] will not be able to recognize,” stated LockBitSupp. They also announced plans to increase the availability of stolen data by making it accessible over clearnet via a bulletproof storage service, as well as an increase in the number of mirrors and duplicate servers. The LockBit ransomware gang has been active since September 2019 and has attacked more than 700 victims, including Entrust.

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/