Chris Swagler | September 6th, 2022

The LockBit ransomware group announced it made improvements on its defenses against distributed denial-of-service (DDoS) attacks and looking to elevate its operation to triple extortion level. Recently, the group experienced a DDoS attack that purportedly was carried out by Entrust, the digital security giant, blocking access to the information posted on its corporate leaks website. LockBit ransomware attacked Entrust in mid-June and stole data from the company. The incident and data theft were both confirmed by Entrust. LockBit declared that it would publish all the stolen data because Entrust refused to pay the ransom. However, it was prevented when a DDoS attack on the group’s leak website.

LockBitSupp, the public-facing figure of the LockBit ransomware operation, declared that the group is up and running with a larger infrastructure providing access to leaks unaffected by DDoS attacks. The DDoS attack, which temporarily stopped Entrust data leaks, was regarded as an opportunity to experiment with triple extortion tactics to put more pressure on victims to pay a ransom. According to LockBitSupp, the ransomware operator is looking to add DDoS as an extortion tactic in addition to encrypting and leaking data. LockBitSupp stated on a threat forum that he was searching for DDoSers to join the team. The group is more likely to attack targets and provide triple extortion, including encryption, data leak, and DDoS.

Additionally, the group pledged to distribute over 300GB of Entrust data through torrents so the entire world will know their trade secrets. A spokesperson for LockBit stated that before making the Entrust data leak available, they will share it privately with anyone who contacts them. It seems that LockBit maintained its word and published a torrent called “” that contained 343GB of content. The operators shared the torrent over two file storage services, one of them no longer available, in addition to releasing it on their website, to ensure that Entrust’s data was accessible from various locations.

Utilizing unique links in victims’ ransom notes is one measure already implemented to prevent future DDoS attacks. Each build of the locker will have a unique connection that the DDoSer will not recognize. They plan to increase the availability of stolen data by making it accessible over clearnet using bulletproof storage service along with the increase in the number of mirrors and duplicate servers. It was discovered that LockBit posted the stolen Entrust data over clearnet on a website that temporarily provides files.

With ransomware groups, including LockBit, looking to evolve their operations using triple extortion tactics, companies need to be always vigilant on the current threat landscape and regularly keep data network backups on off-site locations. At SpearTip, our remediation experts focus on restoring companies’ operations, reclaiming their networks by isolating malware, and recovering business-critical assets. Our certified engineers at our 24/7/365 Security Operations Center are continuously working to monitor data networks for potential vulnerabilities and ransomware threats like LockBit and are ready to respond to incidents at a moment’s notice. The ShadowSpear Platform, our cutting-edge integrable managed detection and response tool, uses comprehensive insights through unparalleled data normalization and visualization to detect advanced ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.