Lockbit Ransomware Gang Claims Mandiant’s Scalp in a Publicity Tit-for-Tat
The LockBit group is publicly crossing swords with cybersecurity giant Mandiant for associating it with Russian cyber extortion group Evil Corp.
LockBit has picked a fight with Mandiant that it can’t win. The ransomware gang says it stole Mandiant’s data and threatens to leak it in retaliation to the cybersecurity company publishing a report associating LockBit with the sanctioned Russian cybercriminal group Evil Corp.
The LockBit ransomware gang says it breached leading cybersecurity company Mandiant and gained access to its data. The ransomware gang, previously known as the ABCD, said it would publicly leak this stolen data on their leak site, an unusual move for ransomware syndicates.
The threat is possibly all bluster, given that LockBit hasn’t yet produced or leaked the hundreds of thousands of files it allegedly stole from Mandiant. Mandiant, which Google is acquiring for $5.4 billion, denied any intrusion. LockBit could be picking a fight with the American company over a recent report the latter published.
Mandiant’s report suggested that the LockBit strain is associated with Russia’s big bad wolf known as Evil Corp. Evil Corp, tracked as UNC2165, operates a global cybercrime network and has duped banks and financial institutions off of over $100 million.
It is also behind WastedLocker, Dridex malware, Hades, and Phoenix Locker, and is associated with DoppelPaymer, Zeus, and BitPaymer strains. WastedLocker emerged as a successor to the aging BitPaymer strain and has been used in at least 31 attacks in the U.S. alone.
Evil Corp has been referred to as “the world’s most harmful cyber crime group” by the United Kingdom’s National Crime Agency. The U.S. government sanctioned the group, and two of its alleged high-profile members — Igor Turashev and Maksim Yakubets — were indicted in December 2019.
The U.S. Department of Justice has placed a $5 million bounty on Yakubets, who also goes by the nicknames ‘aqua’, ‘aquamo’, and others and is believed to have ties with the Russian government.
Sweden-based TrueSec believes that Evil Corp may actually be a cyberespionage operation operating under the garb of a ransomware gang. “Perhaps Evil Corp has now morphed into a mercenary espionage organization controlled by Russian Intelligence but hiding behind the façade of a cybercrime ring, blurring the lines between crime and espionage,” wrote Mattias Wåhlén, threat intelligence lead at Truesec.
“If so, it would likely mean that this group uses the ransom money paid by victims to finance their espionage operations.”
Consequently, Evil Corp has been on the U.S. government’s radar for quite some time. The sanctions imposed on the malicious group by the Office of Foreign Assets Control in 2019 meant none of the U.S-based entities could pay a ransom if attacked, making it hard for Evil Corp to conduct business as usual.
On the other hand, LockBit has been running a ransomware-as-a-service operation since September 2019, three months before the U.S. government-sanctioned Evil Corp. LockBit revamped its website and infrastructure and rebranded as LockBit 2.0 in June last year. Palo Alto Networks’ Unit 42 included it in its list of emerging ransomware groups.
See More: New Cheerscrypt Ransomware Targets Popular VMware ESXi Machines
LockBit was the most active ransomware gang in February 2022 and was responsible for 42.2% of all ransomware attacks. It was also one of the cybercriminal syndicates most associated with ransomware vulnerabilities in Q1 2022.
Mandiant believes that the recent uptick directly results from Evil Corp using LockBit’s RaaS to evade sanctions. Additionally, “using this RaaS would allow UNC2165 [Evil Corp] to blend in with other affiliates, requiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on the use of an exclusive ransomware,” wrote Mandiant.
“Additionally, the frequent code updates and rebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LOCKBIT as a more cost-effective choice.”
“The use of a RaaS would eliminate the ransomware development time and effort, allowing resources to be used elsewhere, such as broadening ransomware deployment operations. Its adoption could also temporarily afford the actors more time to develop a completely new ransomware from scratch, limiting the ability of security researchers to easily tie it to previous Evil Corp operations,” Mandiant added.
However, being tied to Evil Corp would directly hit LockBit’s profitability, the core of any ransomware operation. The resulting backlash against Mandiant was thus an immature, not to mention desperate, attempt to defame those who put them in the limelight.
Mandiant’s reputation being tarnished would grant them the benefit of the doubt. But LockBit’s response made sure organizations may now rethink before forking out a ransom. If the Lapsus$ incidents and now the LockBit-Mandiant feud taught anything, it is that cybercriminals may not be well versed in the intricacies of professional public conduct.
After publishing all ‘stolen’ data sizing up to two files of 2.34 MB and 1.45 KB, LockBit published the following:
LockBit Statement | Source: BleepingComputer
MORE ON RANSOMWARE
