The LockBit ransomware group, a persistent annoyance since it launched as “ABCD” in 2019, sent a shockwave through the cybersecurity world when it claimed that it had breached leading security firm Mandiant and was poised to leak over 350,000 files.
It is increasingly looking like this claim was hot air, however, and possibly a PR stunt by the LockBit gang to deflect from its recent association with the sanctioned Evil Corp group.
Mandiant says that it is conducting an internal investigation, but thus far sees no evidence that it was breached or that LockBit ransomware is present.
No sign of claimed LockBit ransomware infection of Mandiant, group may be working the media
Via its data leak site on the dark web, the gang indicated that it had breached Mandiant and exfiltrated hundreds of thousands of files. It threatened to leak the files after a countdown clock expired, but the deadline came and went without anything appearing but a zip file called “mandiantyellowpress.com.7z”. Upon examination, the file had 0 bytes of data and was set up to redirect users to “ninjaflex.com”, a website registered a decade ago that has never appeared to serve any particular purpose. That site now appears to redirect to “mendrok.com”, a site registered in 2018 that also appears to serve no purpose other than potentially being an attack site.
Given this, and Mandiant’s claim that no evidence of LockBit ransomware was uncovered by an internal investigation, the whole incident seems to be a dud. That leaves the question of why LockBit would even bother with such a stunt. Some researchers theorize that it is an attempt to manipulate the media given that the Evil Corp ransomware gang recently announced it was switching to the use of LockBit ransomware in its criminal campaigns. LockBit would like to distance itself from Evil Corp given that the latter party has been sanctioned by the United States government, meaning that it can expect victims in the country to be much more hesitant to pay its demands. The ransomware gang appears to want to remind the world that it is not affiliated with Evil Corp and is not under sanctions.
Jamie Brummell, Co-founder and CTO of Socura, also sees a possible connection to the upcoming RSA Conference (a major annual cybersecurity industry event): “PR stunts ahead of a major cybersecurity conference are nothing new, but for them to come from a ransomware gang is a novel development. LockBit wanted to the hit the headlines following a Mandiant report linking them to Evil Corp, which would mean lost revenue due to US government sanctions. In that respect, it’s mission accomplished. The intention was seemingly to hit the big US tech publications that their victims IT teams are most likely read. It was a message to their victims that they can keep paying up. However, if their intention was to sever the link between them and Evil Corp in the eyes of the public and potential targets, that’s still up for debate. It may have the reverse effect of drawing more attention to the Mandiant report and make victims question whether they are really linked.”
