Ransomware Group Very Angry To Be Associated With Lavish Russian Hackers

Piracy. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reports on the dark underbelly of the internet.

The LockBit ransomware group really, really wants you to believe that its ransomware as a service is not used by Evil Corp, some of the most infamous and flashy hackers on the planet, as the company’s researchers claim. of Mandiant cybersecurity.

Last week, Mandiant published a report Thursday, which said a group riding Evil Corp had recently switched to using LockBit ransomware. Evil Corp is a Russia-based hacking group whose members flaunt their extravagant wealth by, among other things, do donuts in custom Lamborghinis on the streets of Russian cities.

On Monday, LockBit claimed to have hacked Mandiant, apparently as retribution for the cybersecurity firm’s report. On its website, LockBit said it planned to release hacked Mandiant documents. But when LockBit released the files, the data did not come from Mandiant at all. The cache was a small selection of chat logs of unknown provenance, photos of a Ferrari, and a bizarre rambling statement.

“Our group has nothing to do with Evil Corp. We are real underground darknet hackers, we have nothing to do with politics or special services like FSB, FBI, etc.,” the statement read. , included in a file named “mandiantyellowpress.com”. .txt”, read.

Do you have more information about Evil Corp or LockBit? We would love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected]or email [email protected].

In December 2019, the US government sanctioned Evil Corp. In his report, Mandiant says he believes the group moved to using LockBit in an effort to “hinder attribution efforts in order to evade sanctions.”

Evil Corp using LockBit to avoid penalties might make sense because LockBit acts as ransomware-as-a-service. With this, affiliate hackers can break into a target and then use the ransomware to attempt to extort money from the victim. After a successful payment, the affiliate hackers then transfer a percentage of that money to the LockBit authors, the LockBit website says. In other words, many different hackers use LockBit, and Evil Corp could blend in with the crowd and still receive payments because its victims might not realize they are dealing with a sanctioned entity.

LockBit does not like this conclusion, judging by the statement.

“I was very surprised to read the news on Twitter from the yellow press. Mandiant.com is not professional. All attack scripts and tools are publicly available and can be used by any hacker on the planet, most of the attack methods are on the forums, githab [sic] and google, the fact that someone uses similar tools cannot be proof that the attack is made by the same person.

In February, the FBI released indicators of compromise related to LockBit. “LockBit 2.0 ransomware compromises victims’ networks through a variety of techniques, including but not limited to purchased access, unpatched vulnerabilities, insider access, and zero-day exploits” , the press release read. LockBit’s software does not infect machines if it detects that the computers are running a range of Eastern European languages, the statement adds.

A representative for LockBit did not respond to a request for comment from Motherboard sent before the files were released.

Mark Karayan, Senior Director of Marketing Communications at Mandiant, told Motherboard in an email before the data was released that “Mandiant is aware of these allegations associated with LockBit. “support for their claims. We will continue to monitor the situation as it develops.” After the files were released, Motherboard asked if Mandiant stood by his assessment of Thursday’s report.

“Yes,” Karayan replied.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

Comments are closed.