The well-known ransomware gang LockBit 2.0 claimed on June 6 local time that it had data from Google subsidiary Mandiant, a star company in the field of threat intelligence and incident response.
The LockBit gang’s data breach website now lists Mandiant.com as one of its victims, with a notice that “all available data will be released,” according to multiple news sites. The ransomware group posted a new page on its data breach website earlier in the day, saying that 356,841 files they allegedly stole from Mandiant would be leaked online. The gang’s dark web leaked site had a timer showing less than three hours before the end of the countdown.
As the list of files on the leaked page is empty, LockBit has yet to reveal which files it claims to have stolen from Mandiant’s systems. However, the page shows a 0-byte file named “mandiantyellowpress.com.7z” which appears to be related to the mandiantyellowpress[.]com domain (registered on the 6th). Visiting this page redirects to the ninjaflex[.]com site. When contacted by us for more details of LockBit’s claim, the threat intelligence firm said it had not found evidence of a breach.
Mandiant quickly responded to a reporter’s request for comment by issuing a statement: “Mandiant is aware of these LockBit-related statements. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it unfolds.” Senior Marketing Communications, Mandiant Manager Mark Karayan made the above statement to editor.
Coincidentally, the LockBit announcement comes as one of the world’s largest cybersecurity conferences, the RSA Conference, kicks off in San Francisco.
This also comes four days after Mandiant said there was evidence that the threat group it named UNC2165 had moved away from using Hade’s ransomware in favor of LockBit. The report believes that this is because the United States has sanctioned a gang called Evil Corp. UNC2165 appears to be an affiliate of Evil Corp, so the shift in ransomware pressure may be an attempt to distance the gang from sanctioned entities, Mandiant said,
Originally an independent company, Mandiant was acquired by FireEye in December 2013 for $1 billion. After FireEye was acquired by Symphony Technology Group for $1.2 billion in June 2021, Google bought Mandiant for $5.4 billion with the goal of integrating it into its Google Cloud unit.
Emsisoft’s threat analyst Brett Callow warned against taking LockBit’s claims at face value. “LockBit has made false claims in the past, and I suspect this is another of them. In fact, in response to Mandiant’s recent reports claiming that Evil Corp is using LockBit’s affiliate scheme to try to evade [US] sanctions, this is likely nothing more than a huge Troll. The fact that LockBit timed its announcement at the beginning of RSAC may also indicate that it was a troll designed to cause embarrassment.”
Chris Olson, CEO of The Media Trust, a provider of mobile app and website security, agrees. “As Mandiant claims ‘we don’t have any evidence to support LockBit’s claim, this is a developing story and we should take it with a grain of salt. In the past, LockBit has posted names on its website, only to remove them without explanation — it also stole data from organizations through third-party vendors, while falsely claiming to have compromised victims directly. Until more information emerges, Mandiant’s story may go in either direction.
The LockBit ransomware gang has been active as a ransomware-as-a-service (RaaS) since September 2019 and relaunched as a LockBit 2.0 RaaS in June 2021 after ransomware actors were banned from posting on cybercrime forums. “LockBit operates on a ransomware-as-a-service (RaaS) model, which means there is no direct identification of the actor who might have launched this exploit. Since Mandiant began operating on the front lines of global cyber warfare, this could be a huge challenge for the enemies Mandiant has acquired. A useful tactic. In 2013, it implicated Chinese actors in cyber espionage — and in 2020, it helped investigate the Russian group responsible for the SolarWinds hack. More recently, it has been tracking Russia-based cybercrime group Evil Corp”, which has started working with LockBit to evade U.S. sanctions.
“At the moment, we don’t know if LockBit’s claims are true. But if they are, they could have serious implications for cybersecurity research firms that are increasingly targeted by global cyber actors.”
Past ransomware victims attacked by the LockBit 2.0 variant include the Bulgarian National Refugee Agency, the French Ministry of Justice and Accenture.
Hackers are always looking for opportunities to hack into people’s data. Although there was no danger this time, it was also at risk of data leakage. Mandiant could be in worse shape now if there is important data in the folder. Therefore, even security vendors face data breaches, not to mention ordinary businesses and individuals. Because of this, our companies and individuals should take active measures to protect data. Data can be backed up for disaster recovery to prevent all possible risks. Data protection solutions are now numerous and easier to use. Such as the common virtual machine backup, is an example. Virtual machines can run multiple operating systems at the same time, which greatly saves physical and virtual resources. The most commonly used virtual machine backup now is VMware Backup, Xenserver Backup, Hyper-V Backup, and so on.