One of the most hated threat intel companies in the world is Mandiant, and they are hated because they are often right. But this week, LockBit decided to respond in a somewhat different way to one of Mandiant’s recent claims.
The ransomware group published a notice on their leak site yesterday saying that 356,841 files they allegedly stole from Mandiant would be leaked online shortly. “All available data will be published!” they announced.
When the so-called leak was published, it consisted of two files. Neither of them contained any files acquired from Mandiant. And the purpose of the leak appeared to be to get attention for LockBit’s statement that they are not EvilCorp. So many different people use so many different freely available tools, they note, that it’s improper to suggest that the use of one particular tool indicates that a threat actor or affiliate links to Maxim Yakubets of EvilCorp or any group on the OFAC-sanctioned list. Their statement appeared to be in response to a June 2 blog post by Mandiant.
Using the FoxConnBC attack as an example, LockBit writes, in part:
Just because FoxConn will be attacked by every ransomware affiliate in the world does not mean that Maxim Yakubets is hiding behind their brands. He has his own personal affiliate program, which is available to a narrow circle of high class professionals, I think the FBI agents know its name. I will not disclose the name of Maxim Yakubets affiliate program for ethical reasons, try to guess it yourself.
Point taken, but will it be enough to keep them off the OFAC banned list?