LockBit 2.0 gang claims Mandiant as latest victim; Mandiant sees no evidence of it

The group took issue with a recent Mandiant analysis, it said.
Kevin Mandia FireEye, Mandiant
Mandiant CEO Kevin Mandia speaks May 31, 2018, at the Cyber Threat Intelligence Forum presented by FireEye and produced by CyberScoop and FedScoop. (Scoop News Group)

A prominent ransomware group claimed early Monday it had successfully attacked cybersecurity giant Mandiant and would release company files. By the end of the day it posted a note slamming Mandiant’s recent research linking it to a separate, sanctioned, cybercrime group.

LockBit 2.0 — a ransomware-as-a-service variant that can claim thousands of victims around the world since it was first spotted as ABCD ransomware in September 2019 — originally claimed on its dark web portal that it would release Mandiant files late Monday.

A Mandiant spokesperson told CyberScoop Monday afternoon that the company was aware of the claims, but saw no evidence to support them.

After the group posted its second note late Monday, a Mandiant spokesperson said “there are no indications that Mandiant data has been disclosed but rather the actor appears to be trying to disprove Mandiant’s June 2nd, 2022 research blog on UNC2165 and LockBit.”

Screenshot from the initial LockBit 2.0 web page claiming the group will release Mandiant files.

On June 2, Mandiant published an analysis suggesting that affiliates of Evil Corp., a long-running cybercrime group that the U.S. government sanctioned in 2019, had turned to using LockBit 2.0 off-the-shelf ransomware to evade sanctions. Mandiant groups those affiliates under the name UNC2165.

The note posted to LockBit 2.0’s website late Monday called Mandiant “not professional” and denied any connection with Evil Corp.

“Our group has nothing to do with Evil Corp,” the note read. “We are real underground darknet hackers, we have nothing to do with politics or special services like FSB, FBI and so on.”

Mandiant is a prominent figure in the multibillion-dollar-per-year cybersecurity industry. In March the company announced that Google would acquire Mandiant for roughly $5.4 billion deal, and become part of Google Cloud.


Brett Callow, a threat analyst with cybersecurity firm Emsisoft who follows the ransomware ecosystem closely, said the group has “made a number of false claims in the past.”

“In some cases, it appeared they’d obtained data relating to Company A from an attack on Company B, but claimed A as the victim,” Callow told CyberScoop. “It’s also entirely possible that LockBit’s claims have no substance to them whatsoever. In fact, this may be the most likely explanation.”

Past ransomware victims hit with the LockBit 2.0 variant include the Bulgarian state agency for refugees, the French Ministry of Justice and Accenture, which was unsuccessfully targeted for a $50 million ransom by the group.

A 2020 cyberattack on FireEye, the former parent company of Mandiant, revealed the beginnings of the so-called SolarWinds hack, which would later sprawl to include victims among federal agencies and major tech companies.

Updated 6/6/22: after LockBit 2.0 posted its note attacking Mandiant’s recent analysis on Evil Corp.

Latest Podcasts