Cyber company Darktrace gets caught up in LockBit gang's apparent blunder

Cybersecurity firm Darktrace denied on Thursday that it was hit with ransomware after apparently being erroneously added to the leak site operated by the LockBit gang.

The group posted Darktrace to its site on Thursday with a message criticizing the Cambridge, England-based company for allegedly monitoring its activities. Several cybersecurity experts said it appeared the group confused Darktrace with Darktracer, a cybersecurity Twitter account that criticized the ransomware group for repeatedly posting companies that had not been attacked.

“The reliability of the RaaS [ransomware as a service] … operated by LockBit ransomware gang seems to have declined,” Darktracer wrote on Twitter on Wednesday, sharing a picture of posts on LockBit’s leak site that appeared to have dummy text. “They appear to have become negligent in managing the service, as fake victims and meaningless data have begun to fill the list, which is being left unattended.”

The reliability of the RaaS service operated by LockBit ransomware gang seems to have declined. They appear to have become negligent in managing the service, as fake victims and meaningless data have begun to fill the list, which is being left unattended. pic.twitter.com/mfGhH93oYh

— Fusion Intelligence Center @ DarkTracer (@darktracer_int) April 12, 2023

LockBit claimed in response that it was just posting test data as it tries to improve its leak site.

In a statement shared with The Record and posted online, Darktrace said it became aware that it was added to LockBit’s site on Thursday morning. After a full review of internal systems, the company confirmed that there was no evidence of compromise.

“None of the LockBit social media posts link to any compromised Darktrace data. We will continue to monitor the situation extremely closely, but based on our current investigations we are confident that our systems remain secure and all customer data is fully protected,” the company said.

This would not be the first time LockBit added a cybersecurity company to its leak site out of anger. Last year, the group added cybersecurity firm Mandiant to its leak site four days after the company released a blog post that tied the gang to Evil Corp, a Russia-based cybercriminal group responsible for hundreds of cyberattacks since at least 2007.

LockBit was likely upset about the blog post because the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) had sanctioned Evil Corp in December 2019 – meaning any ties to the criminal organization would make ransomware victims wary of paying ransoms.

It was later revealed that LockBit had not actually breached any Mandiant systems and simply added the company to its leak site as retribution for the blog post.

Last August, the Cl0p ransomware group added the wrong water provider to its victim list — Thames Water, when in fact it had attacked the provider South Staffordshire PLC.