LockBit, ALPHV and other ransomware gang leak sites hit by DDoS attacks


Ransomware-as-a-service (RaaS) groups LockBit and ALPHV (aka BlackCat), among others, have been subject to Distributed Denial of Service (DDoS) attacks targeting their data leak sites, causing downtime. downtime and breakdowns.

The attacks have been monitored by Cisco Talos since August 20 and include a wide range of other RaaS groups, including Quantum, LV, Hive, Everest, BianLian, Yanluowang, Snatch, and Lorenz.

Forum posts from the LockBit gang’s tech support arm, “LockBitSupp”, indicate that the attacks had a significant impact on the group’s business, with nearly 1,000 servers targeting the leaked site with nearly 400 requests per second, the researchers said.

“Many of the aforementioned groups are still affected by connectivity issues and continue to experience a variety of intermittent outages at their data leak sites, including frequent disconnections and unreachable hosts, suggesting this is part of “a sustained effort to thwart updates from these sites,” explained a Talos blog post this week.

The groups reacted in different ways, with some sites simply redirecting web traffic elsewhere, as in the case of the Quantum group, while others tightened DDoS protections.

“As this activity continues to interrupt and impede the ability of these affiliates and operators to publicly release new victim information, we will likely continue to see various groups respond differently, depending on the resources available to them,” noted the blog authors. .

Closures provide respite for targeted groups

Aubrey Perin, senior threat intelligence analyst at Qualys, says that in the event of a DDoS attack on RaaS leak sites, victims of criminal hacking gang activity would clearly benefit. Perin notes that the report shows how effective these attacks are at stopping ransomware operations, with outages giving defenders valuable time to investigate.

“If the leak sites are closed, the victim infrastructure cannot be announced,” Perin said. “The goal of these types of attacks is to disrupt gang activity,” adding that if gangs cannot document victim information, extortion tactics become much more difficult and, in some cases, benign. .

However, Perin adds that today’s bad actors are becoming increasingly sophisticated and learn from mistakes on the fly, so they can find workarounds fairly quickly.

“More mature gangs have exemplified their agility to quickly reorganize and launch more sophisticated countermeasures for DDoS attacks,” says Perin. Where early ransomware authors used “spray-and-pray” methods, Perin points out that today’s bad actors conduct ransomware attacks like professional operations, each applying their own “special sauce”.

“Organizations each have their own strategies and protocols that they follow, and RaaS is no different. Each gang finds what works best, develops a strategy, and executes,” says Perin. “Each gang’s operations are unique to those of other gangs.”

So, says Perin, without a deeper understanding of a specific gang’s operating schedule and strategy, it’s virtually impossible to know the true impact on its operations.

“That being said, these attacks certainly have the power to tarnish their reputation,” notes Perin.

Rival extortion groups and government agencies could benefit

When it comes to who is behind DDoS efforts, Rick Holland, CISO and vice president of strategy at Digital Shadows, says rival extortion teams and government agencies are two possible beneficiaries of attacks on sites. of data leakage.

“There is no honor among thieves, and there is a history of groups targeting each other,” he says. “On the government side, the commander of United States Cyber ​​Command, General [Paul] Nakasone admitted to targeting ransomware groups last year, so it would be reasonable to assume that the US government continued its efforts to disrupt adversaries.”

Holland says that extortionists need to think about their site’s resilience, just like legitimate businesses.

“There are other ways for ransomware victims to interact with actors,” he explains. “RaaS reps are available on forums, and victim negotiations can still be taken offline through various messaging apps.”

Andrew Hay, COO at LARES Consulting, adds that the targeted gangs are likely actively fighting the problem.

“We will likely see threat groups move their servers and services to a more distributed infrastructure to maintain availability, as any organization would to stay operational,” he says.

From Hay’s perspective, the report suggests that attacks directed at RaaS data leak sites are unlikely to go away any time soon, which could lead to some sort of underground competition for affiliates.

“You don’t have to be the best, you just have to be better – or more available – than the other guy,” he says.


Comments are closed.