View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 7, 2022updated 05 Aug 2022 7:50am

LockBit claims Mandiant hack in apparent bid to distance itself from Evil Corp

The ransomware gang is apparently keen to play down associations with the notorious cybercriminals.

By Claudia Glover

Ransomware gang LockBit claims to have hacked security vendor Mandiant, stealing more than 350,000 files and threatening to leak them online. Mandiant says it has found “no evidence” of a breach, and believes LockBit may be striking back after Mandiant released an investigation into its relationship to Russian cyber gang Evil Corp.

Security vendor Mandiant has apparently been hacked by LockBit. (Photo by Gabby Jones/Bloomberg via Getty Images)

The claims emerged late last night as LockBit published two files to its victim blog on the dark web which it claims stem from an attack on Mandiant. The group says it has more data to release: “all available information will be published!”, its blog post reads. It is not known if a ransom demand has been made to Mandiant, but a countdown timer on the post appears to indicate that the deadline for the release of information is approaching.

Who are LockBit?

Formerly known as ABCD, LockBit is known for requesting financial payment from its victims in exchange for decryption of information. “It focuses mostly on enterprises and government organisations rather than individuals,” says a report from security vendor Kaspersky.

Active since 2019, high-profile victims of the gang include Accenture, where LockBit demanded $50m in exchange for stolen data last year. However, reports noted that when a countdown timer set up for payment of the ransom passed zero, no data was released.

The similarities between the Accenture ‘breach’ and this incident have made security analysts suspicious. “This gang has made a number of false claims in the past,” said Brett Callow, security researcher at Emsisoft, adding that it is “entirely possible” that the group’s claims about Mandiant have “no substance to them whatsoever”.

Has LockBit really breached Mandiant?

Indeed Mandiant, which is currently in the process of being acquired by Google for around $5.4bn, says it is aware of claims but has “found no evidence” to back them up. “Based on the data released, there are no indications that Mandiant data was disclosed but rather the actor appears to be trying to disprove Mandiant’s blog on UNC2165 and LockBit,” the company said.

Mandiant released a report into LockBit and its relationship to the Russian cybercrime gang Evil Corp last week. The US government sanctioned Evil Corp members in 2019 as part of an international sting operation, describing it as “one of the world’s most prolific cybercrime operations”. The new Mandiant report explains that it believes Evil Corp members are now using LockBit malware “to hinder attribution efforts in order to evade sanctions”.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

LockBit was clearly irked by this association, releasing a statement declaring “ are not professional”, and adding it “has nothing to do with Evil Corp”. It said: “We are real underground darknet hackers, we have nothing to do with politics or special services like the FSB, FBI and so on.”

This new alleged attack could be a further attempt to discourage Mandiant from linking LockBit and Evil Corp says Xue Yin Peh, senior cyber threat intelligence analyst at Digital Shadows. “Its reasons for the attack are likely to be to avoid the ensuing scrutiny and attention that would come with being affiliated with a sanctioned cybercriminal group [Evil Corp],” she says.

Others believe the timing of the disturbance is significant, as the global cybersecurity conference RSA is getting underway in San Francisco. “Given that it’s the second day of RSA, there may be some kind of marketing or publicity stunt driving this story,” argues Brian Higgins, security specialist at Comparitech.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit

Read more: Ransomware in 2022: Bigger and more business-savvy

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.