Cyber Incident Victim: LockBit
Date:
Jul 2022
Location:
United States of America
Summary
The LockBit ransomware group claimed responsibility for breaching a cybersecurity firm, Entrust, which acknowledged unauthorized network access without confirming data compromise. Following LockBit's publication of the victim on its leak site, their infrastructure was disrupted by a DDoS attack allegedly linked to the victim, evidenced by network traffic referencing the company. The ransomware operators responded by threatening to release stolen data via peer-to-peer networks, escalating tensions amid broader debates regarding retaliatory cyber actions' legality.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2022, the LockBit ransomware group claimed responsibility for a cyberattack targeting Entrust, a prominent provider of identity verification and data protection services. Entrust publicly acknowledged an intrusion by an "unauthorized party" but did not disclose technical specifics regarding the breach mechanism, data exfiltration scope, or confirmed impact on customer information. Following standard ransomware group procedures, LockBit listed Entrust on its dark web leak site, indicating failed ransom negotiations. This leak site entry aligned with LockBit’s established pattern of high-profile attacks, including prior incidents involving Foxconn and Accenture. Shortly after the Entrust listing, LockBit’s infrastructure experienced a distributed denial-of-service (DDoS) attack that rendered its leak site temporarily inaccessible. Security researcher Azim Shukuhi documented LockBitSupp—a representative of the ransomware operation—attributing the DDoS to Entrust, citing network traffic volumes reaching 400 requests per second originating from approximately 1,000 servers. Forensic analysis of the attack traffic reportedly revealed internal system messages containing the phrase "DELETE_ENTRUSTCOM_MOTHERFUCKERS," suggesting a retaliatory motive.
The DDoS countermeasure disrupted LockBit’s leak site operations, prompting the group to issue a warning about potential data dissemination through peer-to-peer networks if normal site functionality remained impaired. Entrust’s vice president of communications declined to comment on the alleged DDoS activity or the ransomware group’s accusations. This incident sparked discussions within the cybersecurity community regarding the legal and operational implications of "hacking back" strategies, particularly under U.S. laws that generally prohibit unauthorized access to computer systems regardless of retaliatory intent. The disruption did not prevent LockBit from continuing its extortion efforts, though the precise timeline of site restoration remained unspecified in available reports. No subsequent disclosures confirmed whether Entrust customer data was publicly released via alternative platforms as threatened. The event highlighted tensions between ransomware operators and enterprise victims while underscoring the absence of public confirmation regarding data compromise claims or forensic details from the targeted organization.