The following transcript has been edited for clarity. To hear the full conversation play the podcast
Howard: Let’s start by looking at the LockBit ransomware gang’s claim on Monday that it has stolen data from security provider Mandiant for sale. Mandiant denies there’s been a data theft. It could be a coincidence, but LockBit’s claim came out as the annual RSA Conference in San Francisco started. Assuming the data theft is true the goal might have been to embarrass a big company at a big event. Another possibility is that LockBit was taking advantage of a Mandiant report the week before that suggested that threat groups are moving to use the Lockbit strain. Terry, what do you think is going on?
Terry Cutler: I think the timing is very interesting because of the RSA Conference. Pretty much all eyes are on RSA, obviously. I think they’re being made to get embarrassed. But at the same time, it’s a PR nightmare because now the supposed hack is overshadowing their brand.
Howard: A researcher at Emsisoft suggested that if it is true that LockBit has some Mandiant files they might have gotten them through hacking another company, not necessarily Mandiant itself.
Terry: We see this repeatedly. It could be a partner that Mandiant works with that has too much access to the Mandiant system. Over time we see a lot of companies that have no [network] monitoring in place, they have bad patching, they have no [intrusion] detection technology, or a partner is no longer working there but their account is still active. There’s also a good chance that Mandiant asked for proof of life of the [allegedly stolen] files.
Howard: LockBit is becoming one of the most prominent ransomware groups at least by the number of claimed victims on its data leak site. According to a report from researchers at Kala during the first quarter of this year, LockBit claimed it had 226 victims, and that’s second to the Conti group. This report also noted the difficulty, though, of trusting data leak site claims. For example, in January Conti claimed that it hit a U.S. auto dealership and In March the same company was listed on another ransomware gang site and it was listed on a third gang’s site in April. This raises an interesting question: Are gangs cooperating or are they fighting with each other?
Terry: It wouldn’t surprise me if the members are actually overlapping. That way they can actually double-dip. Ransomware gangs actually have a shortage of staff, as well. Last year some of the members of Conti leaked some documents that actually showed some of these groups have an HR department. There are performance reviews and they even have an employee-of-the-month program. Someone even leaked the Conti ransomware source code.