LockBit, ALPHV & Other Ransomware Gang Leak Sites Hit by DDoS Attacks

A sweeping effort to prevent a raft of targeted cybercrime groups from posting ransomware victims data publicly is hampering their operations, causing outages.

The ransomware-as-a-service (RaaS) groups LockBit and ALPHV (aka BlackCat), among others, have been the focus of distributed denial-of-service (DDoS) attacks targeting their data leak sites, causing downtime and outages.
The attacks have been monitored by Cisco Talos since Aug. 20 and include a wide range of other RaaS groups, including Quantum, LV, Hive, Everest, BianLian, Yanluowang, Snatch, and Lorenz.
Forum posts by the
LockBit gangs
technical support arm, LockBitSupp, indicate that the attacks have had a significant impact on the groups activities, with nearly 1,000 servers targeting the leak site with close to 400 requests per second, researchers said.
Many of the aforementioned groups are still affected by connectivity issues and continue to face a variety of intermittent outages to their data leak sites, including frequent disconnects and unreachable hosts, suggesting that this is part of a sustained effort to thwart updates to those sites, a Talos blog post
explained
this week.
The groups have responded in different ways, with some sites simply redirecting web traffic elsewhere, as in the case of the Quantum group, while others have beefed up DDoS protections.
Given that this activity is continuing to interrupt and hinder the ability for these affiliates and operators to
post new victim information publicly
, we will likely continue to see various groups respond differently, depending on the resources available to them, the blog post authors noted.
Aubrey Perin, lead threat intelligence analyst at Qualys, says in the case of a DDoS attack on RaaS leak sites, victims of criminal hacking gang activity would clearly benefit. Perin notes that the report showcases how effective these attacks are at halting ransomware operations, with outages allowing defenders precious time to investigate.
If the leak sites are shut down, the victims infrastructure cannot be announced, Perin says. The purpose of these types of attacks is to interrupt the gangs activities, adding that if gangs cannot list victim information, then extortion tactics become far more difficult, and in some cases benign.
However, Perin adds todays bad actors are growing increasingly sophisticated and learning from mistakes on the fly, so they may find workarounds rather quickly.
More mature gangs have exemplified their agility to quickly re-organize and launch more sophisticated countermeasures for DDoS attacks, Perin explains. Where initial ransomware authors used spray-and-pray methods, Perin points out that todays bad actors carry out ransomware attacks as professional operations, with each applying their own special sauce.
Organizations each have their own strategies and protocols they follow, and RaaS is no different. Each gang finds
what works best, develops strategy, and executes
, Perin says. Each gangs operations are unique to that of other gangs.
Thus, Perin says, without a deeper understanding of a specific gangs operating schedule and strategy, it is next to impossible to know the real impact to their operations.
That being said, these attacks certainly have the power to tarnish their reputations, Perin notes.
When it comes to whos behind the DDoS efforts, Rick Holland, CISO and vice president of strategy at Digital Shadows, says rival extortion crews and government agencies are two possible beneficiaries of attacks against data leak sites.
There is no honor among thieves, and there is a history of groups targeting each other, he says. On the government side, US Cyber Command commander General [Paul] Nakasone admitted to targeting ransomware groups last year, so it would be reasonable to assume that the US government has continued efforts to disrupt the adversaries.
Holland says extortionists need to think about their sites resilience, just like legitimate businesses.
There are other ways for ransomware victims to interact with the actors, he explains. RaaS representatives are available on forums, and victim negotiations can still be taken offline through various messaging applications.
Andrew Hay, COO at LARES Consulting, adds that the targeted gangs are likely actively combatting the issue.
Well likely see the threat groups relocate their servers and services to a more distributed infrastructure to maintain availability, just like any organization would to stay operational, he says.
From Hays perspective, the report suggests that attacks directed at RaaS data leak sites are likely not going to fade away anytime soon, which could lead to a sort of underground competition for affiliates.
You dont need to be the best, you just have to be better — or more available — than the other guy, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
LockBit, ALPHV & Other Ransomware Gang Leak Sites Hit by DDoS Attacks