Someone out there in Internet-land is extremely angry with the LockBit ransomware group.
So angry, in fact, that on the weekend of August 21 they decided to hit the group’s Tor leaks sites with a DDoS attack large enough to take them offline.
It’s the sort of thing that probably happens all the time on the dark web, and nobody beyond the criminal world pays much attention—but this attack was different for a very unusual reason.
For background, LockBit is currently highly active, claiming responsibility for recent attacks against Italy’s tax agency, as well as a triple extortion attack on an automotive supplier.
According to the group’s LockBitSupp contact account, which interacts with researchers, the DDoS attack was payback for an attack carried out on a U.S. data security company, Entrust, in June.
Data stolen from Entrust during that incident was eventually partially leaked the day before the DDoS attack, presumably to encourage the victim to pay up, with more releases promised.
So how could LockBit be so sure the attack was connected to the Entrust breach?
The answer to that, the group claimed, was embedded in the browser user agent field as part of the HTTPS requests used to overload the Tor site:
“GET / HTTP/1.1” 209 18869 “_” “DELETE_ENTRUSTCOM_MOTHERF*****S” [asterisks ours]
The group also reportedly told Bleeping Computer:
"DDoS attack began immediately after the publication of data and negotiations, of course it was them, who else needs it?”
In retaliation for this, the group said it now planned to upload Entrust’s stolen data to Torrent sites, which would make it nigh impossible to remove from the public domain. It has also sent details of the claimed negotiations between itself and Entrust to a researcher.
Is this what it appears to be—a reprisal attack by a victim on a perpetrator?
Entrust has yet to comment on speculation, but there is, we double underline, no evidence that the company was sanctioned or knew about the DDoS.
But the incident does, unhelpfully, re-open the long-running debate about the rights and wrongs of “hacking back” that has been ongoing ever since large cyberattacks ticked up in the early 2000s.
The consensus is still that it’s a bad and potentially dangerous idea. There are several reasons for this, starting with the fact that almost any cyberattack you can think of (including DDoS attacks) are now illegal under most country’s laws.
Hacking back, of course, would undermine legal redress, including redress that might come to pass in the fullness of time, possibly years in the future.
There’s also a technical argument: Even if conducting a reprisal attack were legal, what would one attack? Internet infrastructure is shared, which means that a DDoS assault on a server might disrupt innocent parties.
For a company engaged in securing networks to engage in an illegal act, even to stop the leaking of data, seems highly unlikely, let alone one that was never likely to make much difference. In fact, no legitimate company has even been connected to a hacking back event although we must assume it has happened somewhere in the world at some point.
There is only one exception to this rule—national security—and those class of attacks would unfold in a very different manner to a rather clunky DDoS.