{ "id": "1c2c85e5-0d3c-4bf9-886c-12a4e8a4a7a2", "created_at": "2026-04-06T00:19:40.326901Z", "updated_at": "2026-04-10T03:29:40.203419Z", "deleted_at": null, "sha1_hash": "b72dbf34d19c2e81a6423b47899157bb1015add8", "title": "LockBit ransomware blames Entrust for DDoS attacks on leak sites", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3610158, "plain_text": "LockBit ransomware blames Entrust for DDoS attacks on leak sites\r\nBy Lawrence Abrams\r\nPublished: 2022-08-22 · Archived: 2026-04-05 15:34:43 UTC\r\nThe LockBit ransomware operation's data leak sites have been shut down over the weekend due to a DDoS attack telling\r\nthem to remove Entrust's allegedly stolen data.\r\nIn late July, digital security giant Entrust confirmed a cyberattack disclosing that threat actors had stolen data from its\r\nnetwork during an intrusion in June. At the time, BleepingComputer was told by sources that it was a ransomware attack but\r\nwe could not independently confirm the one behind it.\r\nLast week, LockBit claimed responsibility for the attack and began leaking data Friday evening.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-blames-entrust-for-ddos-attacks-on-leak-sites/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-blames-entrust-for-ddos-attacks-on-leak-sites/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThis leak consisted of 30 screenshots of data allegedly stolen from Entrust, including legal documents, marketing\r\nspreadsheets, and accounting data.\r\nAlleged Entrust data leaked on LockBit's data leak site\r\nSource: Dominic Alvieri\r\nSoon after they started leaking data, researchers began reporting that the ransomware gang's Tor data leak sites were\r\nunavailable due to a DDoS attack.\r\nYesterday, security research group VX-Underground learned from LockBitSupp, the public-facing representative of the\r\nLockBit ransomware operation, that their Tor sites were under attack by someone they believed to be connected to Entrust.\r\n\"Ddos attack began immediately after the publication of data and negotiations, of course it was them, who else needs it? In\r\naddition, in the logs there is an inscription demanding the removal of their data,\" LockBitSupp told BleepingComputer in\r\nresponse to the questions about the attack.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-blames-entrust-for-ddos-attacks-on-leak-sites/\r\nPage 3 of 5\n\nAs you can see from these HTTPS requests, the attacker added a message to LockBit in the browser user agent field telling\r\nthem to delete Entrust's data.\r\nDDoS HTTPS requests with a message to LockBit\r\nCisco Talos researcher Azim Shukuhi tweeted that the DDoS attack on LockBit's servers consisted of \"400 requests a second\r\nfrom over 1000 servers.\"\r\nIn retaliation to the attack, LockBit's data leak sites now show a message warning that the ransomware gang plans to upload\r\nall of Entrust's data as a torrent, which will make it almost impossible to take down.\r\nThe new message shown on LockBit data leak sites\r\nFurthermore, the threat actors have shared the alleged negotiations between Entrust and the ransomware gang with security\r\nresearcher Soufiane Tahiri. This chat indicates that the initial ransom demand was $8 million and dropped to $6.8 million\r\nlater.\r\nLockBitSupp told BleepingComputer that another cybersecurity firm, Accenture, also conducted a similar attack against\r\ntheir data leak sites but was less successful.\r\n\"The last ones to do this were the Accenture, but they were not very good at it, the Entrust were much more successful at it,\"\r\nexplained LockBitSupp.\r\nBleepingComputer has been unable to confirm if this statement is true.\r\nThe ALPHV ransomware operation's data leak sites were also down this weekend in what is believed to be a DDoS attack.\r\nHowever, it is not known if the two attacks are related.\r\nSecurity firm or threat actor behind attacks?\r\nBleepingComputer has contacted Entrust to ask if they were responsible for the DDoS attack on LockBitSupp but did not\r\nreceive a reply. \r\nSo, at this point, it is unclear if Entrust, an affiliated cybersecurity company, or simply a rival threat actor is taking\r\nadvantage of the situation by conducting the attacks.\r\nSecurity researchers are unsure who is attacking LockBit, with some saying that it would be unprecedented for a\r\ncybersecurity company to conduct attacks like these.\r\n\"I believe this is somehow backed by Entrust at the moment but not another group attacking both. The only group with an\r\ninterest in attacking both would be the feds or gov entities,\" security researcher Dominic Alvieri told BleepingComputer.\r\n\"Do we have evidence that a cybersecurity firm is carrying out a DDoS? That would be an unprecedented and somewhat of\r\na paradigm shift. it could be competitors or may be someone with animosity towards those top two from within the RaaS\r\nworld,\" tweeted Shukuhi.\r\n\"The idea that a cybersecurity company would be yeeting a DDoS around would set a dangerous precedence,\" tweeted a\r\nthreat intelligence researcher known as Cyberknow.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-blames-entrust-for-ddos-attacks-on-leak-sites/\r\nPage 4 of 5\n\nWhile we will likely never know who is behind these attacks, it has shown how effective attacks like this can be in\r\ndisrupting a ransomware gang's operations.\r\nWhether victims, cybersecurity companies, or even governments may adopt such tactics in the future (if not already doing\r\nso) remains to be seen.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-blames-entrust-for-ddos-attacks-on-leak-sites/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-blames-entrust-for-ddos-attacks-on-leak-sites/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-blames-entrust-for-ddos-attacks-on-leak-sites/" ], "report_names": [ "lockbit-ransomware-blames-entrust-for-ddos-attacks-on-leak-sites" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434780, "ts_updated_at": 1775791780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b72dbf34d19c2e81a6423b47899157bb1015add8.pdf", "text": "https://archive.orkl.eu/b72dbf34d19c2e81a6423b47899157bb1015add8.txt", "img": "https://archive.orkl.eu/b72dbf34d19c2e81a6423b47899157bb1015add8.jpg" } }