[MART] - Daily Diary #527 - Lockbit Teases Mandiant - Claims They Are Not EvilCorp

CTAS-MAT ctas-mat at appgate.com
Tue Jun 7 22:00:29 UTC 2022

I hope everyone is doing well!

Below is the entry for today.

06/07/2022 - Diary entry #527

Covered in multiple of our Daily Diaries, most recently in our Daily Diary #440, Lockbit is one of the most dangerous ransomware groups active nowadays. Lockbit operates in the Ransomware-as-a-Service business model, selling their platform and malware to third-party attackers, that target multiple organizations in different countries and sectors. Lockbit wall-of-shame is one of the many monitored by our team, having new targets uploaded every week.

Earlier this week Mandiant's researches attributed recent Lockbit attacks as part of EvilCorp group operations, including the recent FoxConn breach. EvilCorp (a.k.a Indrik Spider and TA505), covered in our Daily Diaries #80 and #63, is a Russian cybercrime group responsible for multiple malware threats, including Entropy ransomware (Covered in our Daily Diary #459) and Dridex (Covered in our Daily Diaries #114, #116, in our Blog Posts "Reverse Engineering Dridex and Automating IOC Extraction" and "Breaking Dridex and Creating a Vaccine"). In 2019, as part of a bigger strategy to disrupt EvilCorp, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned the cybercrime group. As part of the sanctions, all persons in the U.S. are prohibited from engaging in transactions with this threat actor, making ransomware victims unable to (legally) pay the ransom to the group. Allegedly, EvilCorp was then switching to Lockbit Ransowmare-as-a-service as a way to bypass those sanctions, receiving the money through a third-party ransomware.

Yesterday, June 6th, Lockbit published an entry about Mandiant on their wall-of-shame. On the page there was a countdown, claiming that over 350 thousand of stolen files would be published. Weird enough, Mandiant denied any evidence of attack, and on the wall-of-shame the deadline for the publishing was for a few hours, when normally the victims have days to negotiate the ransom. After the countdown, only two files were uploaded, mainly a .txt note attacking Mandiant.

On the note, Lockbit calls Mandiant a "Yellow press", a pejorative term for news sources that presents little credibility. The note also claims that EvilCorp is nowhere associated with Lockbit, and that FoxConn was breached using a zerologon vulnerability by a third-party "affiliate" that breaches mostly small companies. Along with the note, the group uploaded a compressed file with screenshots from Lockbit internal panel - logged as the FoxConn's attacker - as "proof" they are not related to EvilCorp.

The fact that Lockbit went this far, risking their "credibility", to provoke Mandiant is a proof that the U.S. sanctions against EvilCorp are effective. This unusual incident reveals Lockbit - and probably other ransomware groups - are afraid to be sanctioned, and also reveal that if companies refuse to pay the ransom, their operations would be severely impacted. We highly recommend for companies to never pay the ransom, and to adopt a ZeroTrust mindset to reduce chances and damages of ransomware attacks.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Manager, MART

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220607/89185d65/attachment-0001.htm>

More information about the MART mailing list