{ "id": "4b9c5530-07c4-4e11-9b45-1e494d08600f", "created_at": "2026-04-06T00:14:35.721716Z", "updated_at": "2026-04-10T13:11:19.689985Z", "deleted_at": null, "sha1_hash": "30fca651501ab425564c34ef1254a60c98d59b93", "title": "Mandiant: \u0026ldquo;No evidence\u0026rdquo; we were hacked by LockBit ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1092559, "plain_text": "Mandiant: \u0026ldquo;No evidence\u0026rdquo; we were hacked by LockBit\r\nransomware\r\nBy Sergiu Gatlan\r\nPublished: 2022-06-06 · Archived: 2026-04-05 17:32:46 UTC\r\nAmerican cybersecurity firm Mandiant is investigating LockBit ransomware gang's claims that they hacked the company's\r\nnetwork and stole data.\r\nThe ransomware group published a new page on its data leak website earlier today, saying that the 356,841 files they\r\nallegedly stole from Mandiant will be leaked online.\r\n\"All available data will be published!\" the gang's dark web leak site threatens under a timer showing just under three hours\r\nleft until the countdown ends.\r\nhttps://www.bleepingcomputer.com/news/security/mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nLockBit has yet to reveal what files it claims to have stolen from Mandiant’s systems since the file listing on the leak page is\r\nempty.\r\nHowever, the page displays a 0-byte file named 'mandiantyellowpress.com.7z' that appears to be related to a\r\nmandiantyellowpress[.]com domain (registered today). Visiting this page redirects to the ninjaflex[.]com site.\r\nWhen BleepingComputer reached out for more details on LockBit's claims, the threat intel firm said it hadn't yet found\r\nevidence of a breach.\r\n\"Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims.\r\nWe will continue to monitor the situation as it develops,\" Mark Karayan, Mandiant's Senior Manager for Marketing\r\nCommunications, told BleepingComputer.\r\nThese claims come after Mandiant revealed in a report published last week that the Russian Evil Corp cybercrime group has\r\nnow switched to deploying LockBit ransomware on targets' networks to evade U.S. sanctions.\r\nMandiant announced in March that it entered into a definitive agreement to be acquired by Google in an all-cash transaction\r\nvalued at roughly $5.4 billion.\r\nThe LockBit ransomware gang has been active since September 2019 as a ransomware-as-a-service (RaaS) and relaunched\r\nas the LockBit 2.0 RaaS in June 2021 after ransomware actors were banned from posting on cybercrime forums [1, 2].\r\nAccenture, a Fortune 500 company and one of LockBit's victims, confirmed to BleepingComputer in August 2021 that it\r\nwas breached after the gang asked for a $50 million ransom not to leak data stolen from its network.\r\nIn February, the FBI released a flash alert with technical details and indicators of compromise associated with LockBit\r\nransomware attacks, asking companies targeted by this RaaS' affiliates to urgently report incidents to their local FBI Cyber\r\nSquad.\r\nAs cybersecurity company Sophos reported in April, a LockBit affiliate lurked around the network of a U.S. local\r\ngovernment agency for months before deploying the ransomware payload.\r\nUpdate: After LockBit published the files, it looks like this wasn't about files stolen from Mandiant's network but, instead,\r\nabout the ransomware group trying to distance itself from the Evil Corp cybercrime gang.\r\nThis was likely prompted by LockBit fearing the lost revenue because their victims will stop paying ransoms as Evil Corp is\r\nsanctioned by the U.S. government.\r\nI was very surprised to read the news on Twitter from the yellow press. mandiant.com are not professional. Any\r\nscripts and tools for attacks, are publicly available and can be used by any hacker on the planet, most of the attack\r\nmethods are on the forums, githab and google, the fact that someone uses similar tools can not be proof that the\r\nattack is done by the same person. \r\nOur group has nothing to do with Evil Corp. We are real underground darknet hackers, we have nothing to do\r\nwith politics or special services like FSB, FBI and so on. \r\nhttps://www.bleepingcomputer.com/news/security/mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware/\r\nPage 3 of 4\n\n\"Mandiant has reviewed the data disclosed in the initial LockBit release. Based on the data that has been released, there are\r\nno indications that Mandiant data has been disclosed but rather the actor appears to be trying to disprove Mandiant's June\r\n2nd, 2022 research blog on UNC2165 and LockBit,\" Mandiant's Karayan told BleepingComputer.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware/" ], "report_names": [ "mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434475, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/30fca651501ab425564c34ef1254a60c98d59b93.pdf", "text": "https://archive.orkl.eu/30fca651501ab425564c34ef1254a60c98d59b93.txt", "img": "https://archive.orkl.eu/30fca651501ab425564c34ef1254a60c98d59b93.jpg" } }