BEEF ALERT: Ransomware Group Very Mad at Being Associated With Lavish Russian Hackers

The ransomware group LockBit really, really wants you to believe that its ransomware-as-a-service is not being used by Evil Corp, some of the most infamous and flashiest hackers on the planet, as researchers from cybersecurity firm Mandiant allege.

Mandiant published a report last Thursday which said that a group that overlapped with Evil Corp had recently switched to using LockBit ransomware. Evil Corp is a hacking group based in Russia whose members flaunt their extravagant wealth by, among other things, doing donuts in custom Lamborghinis in the streets of Russian cities.

Monday, LockBit claimed it hacked Mandiant, seemingly in retribution for the cybersecurity firm's report. On its website, LockBit said it planned to release documents hacked from Mandiant. But when LockBit published the files, the data didn’t come from Mandiant at all. The cache was a small selection of chat logs of an unknown provenance, photos of a Ferrari, and a bizarre, rambling statement.

“Our group has nothing to do with Evil Corp. We are real underground darknet hackers, we have nothing to do with politics or special services like FSB, FBI, and so on,” the statement, included in a file named “mandiantyellowpress.com.txt”, read.

In December 2019, the U.S. government sanctioned Evil Corp. In its report Mandiant says it believes the group has moved to using LockBit in an effort “hinder attribution efforts in order to evade sanctions.” 

Evil Corp using LockBit to avoid sanctions could make sense because LockBit acts as a ransomware-as-a-service. With this, affiliate hackers can break into a target and then use the ransomware in an attempt to extort money from the victim. After a successful payment, the affiliate hackers then transfer a percentage of that money to the LockBit authors, LockBit’s website reads. In other words, a lot of different hackers use LockBit, and Evil Corp could blend into the crowd and still receive payments because its victims might not realize they are dealing with a sanctioned entity.

LockBit doesn’t like this conclusion, judging by the statement.

“I was very surprised to read the news on Twitter from the yellow press. mandiant.com are not professional. Any scripts and tools for attacks, are publicly available and can be used by any hacker on the planet, most of the attack methods are on the forums, githab [sic] and google, the fact that someone uses similar tools can not be proof that the attack is done by the same person,” it read.

In February, the FBI published indicators of compromise related to LockBit. “LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero day exploits,” the release read. LockBit’s software does not infect machines if it detects the computers are running a series of Eastern European languages, the release added. 

A LockBit representative did not respond to a request for comment from Motherboard sent before the files’ publication.

Mark Karayan, senior manager in marketing communications at Mandiant, told Motherboard in an email before the data was published that “Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.” After the files’ publication, Motherboard asked if Mandiant stood by its assessment from Thursday’s report.

“Yes,” Karayan replied.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.