Hack Backs: A Legitimate Tactic or Counter-Productive?

The prolific LockBit ransomware gang was subject to a DDoS attack that resulted in its data leak site being shut down temporarily, according to recent reports that emerged in mid-August 2022. Typically, it is threat-actors leveraging DDoS attacks as an easy, cheap and effective tactic, capable of causing enormous disruption and loss of business to victims. To witness a notorious cyber-criminal gang targeted in this way would likely have been satisfying to many who observe, and are impacted by, the damage groups like LockBit cause.

Reports of the DDoS attack came shortly after LockBit claimed responsibility for an attack on cybersecurity vendor Entrust in June, after which the gang failed to secure a ransom.

The company confirmed in July that threat actors had breached its network and exfiltrated data from its internal systems. Shortly after allegedly leaking data stolen from Entrust on August 19, LockBit’s leak site was disrupted by a DDoS attack, which it now appears to be recovering from.

Unsurprisingly, there are suggestions the two incidents are linked, with some surmising that the perpetrator of the DDoS strikes against LockBit were seeking revenge for the ransomware and/or preventing the stolen data from being leaked. However, at this time, there is no clear evidence showing who targeted LockBit.

“There is no tangible evidence that suggests Entrust was behind the retaliatory attack,” Tom Huckle, director of information security & compliance at BlueVoyant, told Infosecurity. “Despite the DDoS HTTPS requests seemingly pointing to the perpetrator being Entrust, this is merely circumstantial evidence and not definitive. This could be an unaffiliated company or individual working on behalf of Entrust, or it could be a rival to the LockBit gang using this as an opportunity to attack its infrastructure.”

Brian Honan, CEO of BH Consulting, concurred: “Just because a company’s name is mentioned as part of the message with the attack does not mean that company is actually behind the attack. As with all cyber-attacks, attribution is not as simple as it seems and more details and analysis are required to determine who is behind an…