Keyboard and mouse in the light of the monitor showing LockBit ransomware

LockBit Ransomware Compromise of Mandiant Not Supported by Any Evidence, May Be a PR Move by Cybercrime Gang

The LockBit ransomware group, a persistent annoyance since it launched as “ABCD” in 2019, sent a shockwave through the cybersecurity world when it claimed that it had breached leading security firm Mandiant and was poised to leak over 350,000 files.

It is increasingly looking like this claim was hot air, however, and possibly a PR stunt by the LockBit gang to deflect from its recent association with the sanctioned Evil Corp group.

Mandiant says that it is conducting an internal investigation, but thus far sees no evidence that it was breached or that LockBit ransomware is present.

No sign of claimed LockBit ransomware infection of Mandiant, group may be working the media

Via its data leak site on the dark web, the gang indicated that it had breached Mandiant and exfiltrated hundreds of thousands of files. It threatened to leak the files after a countdown clock expired, but the deadline came and went without anything appearing but a zip file called “”. Upon examination, the file had 0 bytes of data and was set up to redirect users to “”, a website registered a decade ago that has never appeared to serve any particular purpose. That site now appears to redirect to “”, a site registered in 2018 that also appears to serve no purpose other than potentially being an attack site.

Given this, and Mandiant’s claim that no evidence of LockBit ransomware was uncovered by an internal investigation, the whole incident seems to be a dud. That leaves the question of why LockBit would even bother with such a stunt. Some researchers theorize that it is an attempt to manipulate the media given that the Evil Corp ransomware gang recently announced it was switching to the use of LockBit ransomware in its criminal campaigns. LockBit would like to distance itself from Evil Corp given that the latter party has been sanctioned by the United States government, meaning that it can expect victims in the country to be much more hesitant to pay its demands. The ransomware gang appears to want to remind the world that it is not affiliated with Evil Corp and is not under sanctions.

Jamie Brummell, Co-founder and CTO of Socura, also sees a possible connection to the upcoming RSA Conference (a major annual cybersecurity industry event): “PR stunts ahead of a major cybersecurity conference are nothing new, but for them to come from a ransomware gang is a novel development. LockBit wanted to the hit the headlines following a Mandiant report linking them to Evil Corp, which would mean lost revenue due to US government sanctions. In that respect, it’s mission accomplished. The intention was seemingly to hit the big US tech publications that their victims IT teams are most likely read. It was a message to their victims that they can keep paying up. However, if their intention was to sever the link between them and Evil Corp in the eyes of the public and potential targets, that’s still up for debate. It may have the reverse effect of drawing more attention to the Mandiant report and make victims question whether they are really linked.”

The news of Evil Corp switching to LockBit ransomware was broken in late May by Mandiant, who observed it in a number of attacks and theorized it was an attempt to evade U.S. Treasury Department Office of Foreign Assets Control (OFAC) sanctions levied against the group. One of the longest-tenured ransomware groups, Evil Corp has been active since 2007 and was previously known for its custom strains of ransomware such as BitPaymer, Hades, and WastedLocker. However, these signature ransomware strains have turned into a toxic asset since the group was sanctioned; victims now immediately know that they could be subject to heavy fines by OFAC if they go ahead with the payment.

This is not the first time Evil Corp has tried impersonating another ransomware group to take the heat off; it also “borrowed” the PayloadBin ransomware in a similar incident taking place in June of last year. Some researchers believe Evil Corp is impersonating other ransomware groups until it can develop an entirely new strain and undergo a complete rebrand.

LockBit ransomware gang not under sanctions, but remains a priority for law enforcement

While the LockBit ransomware group might fend off fears of sanctions with this move, it certainly will do nothing to ease international law enforcement scrutiny. Mandiant is one of the biggest names in cybersecurity, recently acquired by Google for $5.4 billion with the intention of integrating it into Google Cloud. The group has been active since 2019, and the FBI issued a warning about it in February of this year as it expanded its ability to target Linux systems and began a campaign to recruit corporate insiders with knowledge of RDP and VPN passwords.

This is also not the first time LockBit has made false claims; security researchers report a number of prior incidents in which the group announced the leak of files and then ended up not posting anything, including claims of a breach of sports apparel brand Northwave in 2020 and Bangkok Airways in 2021. Chris Olson, CEO of The Media Trust, advises caution in making any assumptions based on this spotty history: “ … this is a developing story which we should take with a grain of salt. In the past, LockBit has posted names on its website only to drop them without explanation – it has also stolen data from organizations through a third-party vendor while falsely claiming to have breached its victims directly.”

“LockBit acts on a ransomware-as-a-service (RaaS) model, meaning the actors who may have initiated this breach cannot be directly identified. This could be a useful tactic for the enemies Mandiant has acquired since it first began operating at the frontlines of global cyberwarfare. In 2013, it implicated Chinese actors in cyber espionage – in 2020, it helped investigate Russian groups responsible for the SolarWinds hack,” Olson said.

LockBit #ransomware may have wanted to the hit the headlines following a Mandiant report linking them to Evil Corp, which would mean lost revenue due to US government sanctions. #cybersecurity #respectdataClick to Tweet

This does not mean that LockBit ransomware is not a legitimate threat to organizations even if the story is entirely made up, of course; the criminal outfit has a long history of verified breaches, including a recent attack on the French Ministry of Justice. It is one of the biggest ransomware-as-a-service outfits on the market, and in addition to the FBI warning the Department of Health and Human Services prepared a 30-page guide to the gang’s operations in September 2021.


Senior Correspondent at CPO Magazine