The infamous ransomware gang LockBit has had its leaks site knocked offline in a distributed denial-of-service attack, and the gang blames cybersecurity company Entrust Corp. for the attack.

Bleeping Computer reported today that the leak site was knocked offline in a DDoS attack over the weekend and that LockBit had received a message telling it that the attack would stop if it removed data stolen from Entrust.

The attack on Entrust, which counts among its clients Microsoft Corp. and VMware Inc., occurred in June, and the company admitted to the theft of data on July 28. Entrust described the attack as involving an unauthorized party accessing certain systems used for internal operations but not affecting its products in identity and access management, identification and passport issuance, payments, cloud security and data processing.

Entrust did not disclose the form of the June attack. It was believed at the time that a ransomware attack was likely involved and, as it turned out, the LockBit ransomware gang claimed credit for the attack.

The DDoS attack on LockBit was first detected on Saturday night/ Azim Shukuhi, a cybersecurity researcher with Cisco Systems Inc.’s Talos threat intelligence group, provided details on Twitter.

someone is DDoSing the Lockbit blog hard right now. I asked LockBitSupp about it and they claim that they're getting 400 requests a second from over 1000 servers. As of this writing, the attack appears to be active. Lockbit promised more resources & to "drain the ddosers money" pic.twitter.com/NAB416k30l

— Azim Shukuhi (@AShukuhi) August 21, 2022

The timing of the attack appears to be more than a coincidence. LockBit first started leaking stolen data from Entrust on Friday night. The initial leak included 30 screenshots of allegedly stolen data from Entrust, including legal documents, marketing spreadsheets and accounting data.

A spokesperson for LockBit also provided a screenshot of the attack, showing data packets that included a message to delete the stolen data followed by an expletive.

Lockbit: "We're being DDoS'd because of the Entrust hack"

vx-underground: "How do you know it's because of the Entrust breach?"

Lockbit: pic.twitter.com/HUO2hdTbwz

— vx-underground (@vxunderground) August 21, 2022

Previous LockBit attacks include Accenture PLC and Bangkok Airways Public Co. Ltd. The gang typically undertakes double-tap ransomware attacks that involve the encryption of data and a threat to publish stolen data if a ransom is not paid.

It has not been disclosed whether a ransom payment was demanded from Entrust, but presuming one was, the decision by LockBit to start publishing the stolen data would indicate that Entrust did not pay the amount requested.  Previous LockBit ransom demands from victims have ranged up to $50 million, to be paid in cryptocurrency.

A successful attack on a cybersecurity company is never a good look and Entrust’s delay in revealing the attack also contributed to negative press. Entrust has every right to be angry about being attacked and no one will shed a tear over LockBit itself now being attacked. However, if it is behind the DDoS attack as LockBit alleges, it does raise ethical considerations as to whether a cybersecurity company should be using DDoS attacks in retaliation for a breach, let alone whether doing so is legal.

Image: TheDigitalArtist/Pixabay