The LockBit ransomware group is one of the bigger names in the criminal field and is a real threat to organizations around the world, but it is also known to sometimes engage in “puffery” for media manipulation purposes. A recent claim that it breached leading security firm Mandiant appears to be another one of these incidents, with a promised data dump of hundreds of thousands of internal documents never materializing.
LockBit seems to have had a specific goal in mind with this story, however. The group wants to evade association with Evil Corp, another hacking group that has had sanctions placed on it by the U.S. government. Evil Corp was recently observed switching from its own custom malware to LockBit ransomware, and the LockBit group seems to want to make clear that the two outfits do not have any kind of relationship.
LockBit ransomware group looks to evade increasing government attention
LockBit has never been shy about the targets it attacks, but claiming to breach Mandiant (recently acquired by Google for over $5 billion) brought it a new level of attention. That attention might cool as Mandiant has announced an internal investigation revealing no sign of LockBit ransomware, but the group’s goal may have been to publicly create space between it and Evil Corp rather than build its own reputation.
LockBit has been known to both fabricate breaches and to exaggerate the scope of them before; in fact, it seems to do this at least annually, if not several times per year. The group operates a “double extortion” ransomware portal that threatens to publicly reveal sensitive files if the ransom is not paid, but sometimes the promised file either never materialize or are much smaller and more insubstantial than initially indicated.
String of legitimate LockBit ransomware attacks recorded, but no evidence yet for Mandiant breach
The LockBit ransomware gang had claimed that it had captured over 350,000 files from Mandiant. Mandiant said that not only was there no sign of a breach or the group’s ransomware, the “double extortion” materials never appeared. LockBit only posted several small files that didn’t appear to have anything to do with Mandiant, and has yet to make any other comment on the attack.
It’s still not totally clear what prompted LockBit to do this, but the Evil Corp media connection makes the most sense. LockBit likely fears a decline in victim payments if its targets believe that the ransomware originated from a sanctioned entity. It may have also timed the incident to generate buzz ahead of the most recent RSA conference, which just took place in San Francisco.
Mandiant has a direct connection to Evil Corp as it broke the story that the criminal gang had switched over to LockBit ransomware in May; Evil Corp appears to have been hopping through other types of ransomware prior to this in a bid to disguise its identity to victims. Office of Foreign Assets Control sanctions could end up costing victims double or more the amount of the ransom they paid, and they apply to a broad web of organizations.