As of November 14, 2025, the prominent cybersecurity and identity firm Entrust is facing a new, active cyberattack, with the Cl0p ransomware gang claiming responsibility. On November 13, 2025, the threat actor group added Entrust to its official “CL0P^_- LEAKS” data extortion site, which is hosted on the Tor network.

The leak site page created for the company states: “ENTRUST.COM – PAGE CREATED, YOU SOME TIME TO RESPOND AND CONTACT US.“

This action is a standard public extortion tactic, indicating that the Cl0p group has successfully breached Entrust’s network, exfiltrated data, and is now pressuring the company to enter ransom negotiations. The full extent of this new breach, including the specific data stolen and the initial access vector used by Cl0p, is not yet publicly known.

This new incident marks the second time in recent years that the security giant has been publicly targeted by a major ransomware operation.

Historical Context: The 2022 LockBit Breach

This 2025 Cl0p attack follows a previous, high-profile breach of Entrust in 2022. On June 18, 2022, the LockBit ransomware gang successfully infiltrated Entrust’s internal systems. That incident, which is still being discussed on dark web forums in November 2025, involved a different set of actors and tactics.

Attack and Extortion Timeline (2022)

In the 2022 incident, LockBit gained its initial foothold by purchasing access from “network access sellers”—specialized groups that breach corporate networks and then sell that access to other threat actors.

After Entrust reportedly refused to pay the ransom, LockBit retaliated by publishing the stolen data on its own leak site. This led to an unprecedented event where LockBit’s servers were targeted by a massive Distributed Denial-of-Service (DDoS) attack, temporarily knocking them offline. LockBit’s operators publicly accused Entrust of launching the counter-attack, which prompted the ransomware gang to adopt DDoS as a “triple extortion” tactic in its own future attacks.

On August 27, 2022, LockBit successfully restored its servers and publicly released the entire 343GB data cache stolen from Entrust.

Victim Size and Damage (2022)

While Entrust maintained that its customer-facing products—which it stated are run in “separate, air-gapped environments”—were not affected, the 2022 breach resulted in the theft of significant internal corporate data.

• Data Types: The 343GB leak included sensitive “accounting and legal files” and “marketing spreadsheets.”
• Victim Impact: The breach also compromised the personal information of the company’s employees. A subsequent class-action lawsuit (Morrison v. Entrust Corporation) alleged that stolen employee data included names, Social Security numbers, bank account numbers, and personal health information. The legal complaint noted that while the breach occurred in June 2022, some of the “hundreds of thousands” of victims were not notified until six months later.

Threat Actor Profile and TTPs: Cl0p

Cl0p, the threat actor behind the new November 2025 attack, operates with a different primary TTP than LockBit. While LockBit often uses affiliates who buy pre-existing access, Cl0p is notorious for its expertise in discovering and exploiting zero-day vulnerabilities in enterprise-grade software.

This specialization allows Cl0p to bypass defenses and breach hundreds of organizations in single, coordinated campaigns.

Fact-Based Campaign History (Cl0p)

• Accellion FTA (2020-2021): Exploited a zero-day in Accellion’s File Transfer Appliance, stealing data from approximately 100 companies.
• Progress MOVEit Transfer (May 2023): In one of 2023’s largest campaigns, Cl0p exploited a SQL injection zero-day (CVE-2023-34362). The group used a custom web shell named LEMURLOOT to exfiltrate data, impacting thousands of organizations and millions of individuals.
• Oracle E-Business Suite (2025): Earlier in 2025, Cl0p conducted a massive campaign exploiting a zero-day (CVE-2025-61882) in Oracle’s E-Business Suite, which it had been exploiting “in the wild” since at least August 2025, two months before a patch was available.

Table: Cl0p (Oracle 2025 Campaign) Indicators of Compromise

The following technical indicators are associated with Cl0p’s recent Oracle campaign and illustrate their methods. It is not yet confirmed if this vulnerability was used in the new Entrust breach.

Threat Actor Profile and TTPs: LockBit

LockBit, the actor from the 2022 breach, functions as a Ransomware-as-a-Service (RaaS) group. This model means the core developers recruit “affiliates” to conduct attacks, resulting in highly varied TTPs.

Technical Analysis: LockBit TTPs (2022 Entrust Breach)

Entrust itself published a technical blog post after the 2022 attack, detailing the TTPs used.

1. (T1078) Valid Accounts: The attack began using compromised credentials purchased from a “network access seller.”
2. (T1574) MFA Fatigue: The attacker spammed the employee who owned the credentials with a rapid succession of mobile push notifications.
3. (T1566) Social Engineering: Simultaneously, the attacker posed as an “IT department colleague,” contacted the employee, and instructed them to “accept the push notification to make the notifications stop.” The employee complied.
4. (T1552) Unsecured Credentials: Once on the network via VPN, the attacker “soon found a shell script with hard coded admin credentials for a privileged access management (PAM) solution.”
5. (T1041) Exfiltration Over C2 Channel: This administrative access allowed the attacker to move laterally, establish persistence, and exfiltrate the 343GB of data.

Table: General LockBit Indicators of Compromise

The following general IOCs are associated with LockBit 2.0 and 3.0 variants, based on government advisories.