The ransomware group LockBit really, really wants you to believe that its ransomware-as-a-service is not being used by Evil Corp, some of the most infamous and flashiest hackers on the planet, as researchers from cybersecurity firm Mandiant allege.

Mandiant published a report last Thursday which said that a group that overlapped with Evil Corp had recently switched to using LockBit ransomware. Evil Corp is a hacking group based in Russia whose members flaunt their extravagant wealth by, among other things, doing donuts in custom Lamborghinis in the streets of Russian cities.

Monday, LockBit claimed it hacked Mandiant, seemingly in retribution for the cybersecurity firm's report. On its website, LockBit said it planned to release documents hacked from Mandiant. But when LockBit published the files, the data didn’t come from Mandiant at all. The cache was a small selection of chat logs of an unknown provenance, photos of a Ferrari, and a bizarre, rambling statement.

“Our group has nothing to do with Evil Corp. We are real underground darknet hackers, we have nothing to do with politics or special services like FSB, FBI, and so on,” the statement, included in a file named “mandiantyellowpress.com.txt”, read.

Do you have any more information on Evil Corp or LockBit? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected].

In December 2019, the U.S. government sanctioned Evil Corp. In its report Mandiant says it believes the group has moved to using LockBit in an effort “hinder attribution efforts in order to evade sanctions.” 

Evil Corp using LockBit to avoid sanctions could make sense because LockBit acts as a ransomware-as-a-service. With this, affiliate hackers can break into a target and then use the ransomware in an attempt to extort money from the victim. After a successful payment, the affiliate hackers then transfer a percentage of that money to the LockBit authors, LockBit’s website reads. In other words, a lot of different hackers use LockBit, and Evil Corp could blend into the crowd and still receive payments because its victims might not realize they are dealing with a sanctioned entity.

LockBit doesn’t like this conclusion, judging by the statement.

“I was very surprised to read the news on Twitter from the yellow press. mandiant.com are not professional. Any scripts and tools for attacks, are publicly available and can be used by any hacker on the planet, most of the attack methods are on the forums, githab [sic] and google, the fact that someone uses similar tools can not be proof that the attack is done by the same person,” it read.

In February, the FBI published indicators of compromise related to LockBit. “LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero day exploits,” the release read. LockBit’s software does not infect machines if it detects the computers are running a series of Eastern European languages, the release added. 

A LockBit representative did not respond to a request for comment from Motherboard sent before the files’ publication.

Mark Karayan, senior manager in marketing communications at Mandiant, told Motherboard in an email before the data was published that “Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.” After the files’ publication, Motherboard asked if Mandiant stood by its assessment from Thursday’s report.

“Yes,” Karayan replied.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

Hackers broke into the accounts of several couples using the wedding services site Zola and drained their wedding registry accounts, victims told Motherboard. Others were locked out of their accounts in the run-up to their weddings.

“They charged thousands of dollars on my credit card beyond the max limit and potentially can steal wedding funds if this isn’t resolved by Wednesday,” one of the victims told Motherboard in an online chat. “I feel that no matter about the password issue, Zola should be held responsible and not allow credit card transactions without requiring a security code confirmation.”

The victim said that Zola finally called her on Monday morning and told her that the credit card transactions “will all be refunded.”

Another victim, who asked to be identified only by her first name, Ali, told Motherboard in an online chat that her fiancé Jackie got a fraud alert from her bank on Saturday alerting her that someone was using her credit card to purchase items on Zola. 

“Someone hacked our account and STOLE ALL OUR WEDDING GIFT MONEY!”

“​​We checked in to our Zola account and saw that the email address for the account had been changed to someone we don’t know,” Ali said. “Then we noticed that all our wedding funds that had been gifted to us were being processed to be transferred to a bank account that was not ours.”

Screenshots of bank statements shown to Motherboard by the victims show a string of transactions in quick succession to or from "Zola Registry."

The company disclosed the hack on Twitter apologizing to “those who detected any irregular account activity.”

Several people on Twitter said hackers were able to use their credit cards and make purchases, resulting in them losing thousands of dollars. 

Zola spokesperson Emily Forrest said that “cash transfers were blocked. All cash funds have been restored. Any action that a couple did not take will be corrected.”

Ashley Smith, another victim, told Motherboard that she and her fiancé had “$1000 stolen from a cash fund within Zola and our credit card information was stolen and used to purchase $675 in gift cards from the Zola website.”

“Additionally, the email and password to the account were changed so now we’re locked out. Zola support was closed all weekend and although they were supposed to open at 10am est today it is 11:34 and the phone lines are still closed,” she said in an online chat. 

“We noticed that all our wedding funds that had been gifted to us were being processed to be transferred to a bank account that was not ours.”

In a statement sent via email to Motherboard, the company said that hackers used the technique credential stuffing, whereby hackers try to break into accounts using passwords and logins that have been exposed in other data breaches hoping that the targets re-used those passwords. 

“These hackers likely gained access to those set of exposed credentials on third party sites and used them to try to log in to Zola and take bad actions. Our team jumped into action immediately to ensure that all couples and guests on Zola are protected. Out of an abundance of caution, our Trust & Safety team also took several additional actions including resetting all passwords,” Zola spokesperson Emily Forrest told Motherboard. “We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked. Credit cards and bank info were never exposed and continue to be protected. There was no known infrastructure breach. Service to both iOS and Android apps has been restored. Actions that were not taken by our account users will be corrected.”

Another alleged victim said on Twitter that she lost almost $4,000. Another one claimed hackers stole all their wedding funds that they had received as gifts. 

“Someone hacked our account and STOLE ALL OUR WEDDING GIFT MONEY!” she wrote on Twitter. “How do you plan to return the funds to us? We’ve been unable to get in touch with any customer support.” 

Forrest said that “ultimately, fewer than 0.1 percent of all Zola couples were impacted. Couples who did experience irregular activity on their accounts can rest assured that any outstanding issues will be resolved and addressed. We know that there are some couples who are still waiting to hear back from us on an individual request, and our support team is working tirelessly to respond to every email. But, all couples and guests can absolutely resume their normal activity on Zola. Again, we are deeply apologetic to those for whom this may have caused stress.”

“We are also aware of the gift card orders and are very quickly working to correct them. The vast majority of the gift card orders have already been refunded and 100% will be refunded by the end of the day. Any action that a couple did not take will be corrected. By the end of the day, we guarantee and ensure that the 0.1% of couples impacted will be fully refunded in every way,” Forrest added.

The company alerted users in an email that said the company “detected some irregular activity, and as a precaution we have reset your password.” 

“We recommend you change it to one that is secure and unique, and we also suggest using a different password for every online account you have. Reusing the same passwords across multiple online accounts makes it more likely for any one of your accounts to become compromised. We are committed to protecting your personal information,” the email obtained by Motherboard read.

UPDATE, May 23, 1:48 p.m. ET: This story has been updated to add a comment from Zola.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.

Encrypted phone firm Ciphr, a company in an industry that caters to serious organized criminals, has made a radical change to how its product can be used and sold, signaling an attempt by the company to distance themselves from, or perhaps cut off, their problematic customers.

The move is significant in that Ciphr is one of the few remaining established members of the encrypted phone industry after a cascading series of high profile law enforcement actions against its competitors. Some companies, such as Sky Secure, have also tried to clean up their act by banning resellers who they have identified as catering to criminal markets. 

“As we continue to focus on our core competencies as a software development company, we have made the decision to no longer support our Mobile Device Management (MDM/UEM) services,” a message sent by Ciphr to its resellers and seen by Motherboard reads. MDM is a tool for managing lots of phones at once, and can be used to install apps or block others. Ordinary companies often use MDM to keep their employees’ devices secure. For years Ciphr has used MDM to distribute its encrypted messaging tools. 

Do you work for Ciphr? Are you a user of its phones? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected].

Now, it is shifting that responsibility away from itself to individual resellers of the devices. The message says that for resellers to continue with new sales or renewals of customers’ subscriptions, they will need to run their own MDM solution. This essentially puts the management of customers much more in the hands of the resellers and not Ciphr. 

The message says that this policy will come into force Thursday. “Effective August 25th, 2022, our software will no longer be supported using our MDM solution,” the message reads. “If you choose not to host your own MDM you will not be able to activate new sales or renewals as of August 22nd, 2020,” it adds. 

The reason for Ciphr’s change, such as legally distancing itself from use of its products by criminals, is unclear. Ciphr has not responded to multiple emails sent over the past several weeks about this and related issues. Ciphr has previously responded to requests to comment for stories about its exit from certain markets.

“Next-level secure communication. The best app for encrypted messaging and calling,” Ciphr’s website reads. Motherboard has previously reported that Ciphr has been especially popular in Australia, where organized criminals have traditionally  used encrypted devices from companies that sometimes deliberately lean into serving such markets. After the FBI, Australian Federal Police, and European partners revealed that another encrypted phone company called Anom was secretly a law enforcement honeypot, Ciphr pulled out of the Australian market altogether, Motherboard previously reported. One criminal organization ran by a mastermind known as Mr. Blonde appears to have dodged the Anom honeypot because his associates were instead using Ciphr, the Sydney Morning Herald previously reported.

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.

The message Ciphr sent to resellers caps off weeks of signs that the company was planning some sort of exit or change to its services. Weeks ago a website used by resellers of Ciphr became inaccessible, with vendors unable to log into the portal which allows them to renew customers subscriptions, according to a screenshot viewed by Motherboard at the time and a source with knowledge of the situation.

“HTTP ERROR: 404 — Compliance Issue, please contact support,” an error message displayed above the login page for Ciphr’s reseller portal read, according to the screenshot. Encrypted phone companies often use these password protected websites to let their resellers update customers' subscriptions or to sign up new users. The encrypted phone industry that Ciphr is part of often sells subscriptions to their services for thousands of dollars every six or 12 months. 

The source with knowledge of the situation said that some Ciphr users have moved to another company called SecureCrypt in response to the recent issues. Motherboard granted the source anonymity to speak more candidly about industry developments.

A former developer for Ciphr told Motherboard that even though they worked at the company for multiple years, they never saw the face of the company’s CTO. While other workers had their faces in their profile photos in chat programs, the CTO did not. 

“I have no idea what he looks like,” the developer said. The developer added they were not aware of who the sorts of people who bought Ciphr phones were before Motherboard alerted them to it earlier this year. Motherboard granted the developer anonymity to protect them from retaliation.

In 2018, the FBI shuttered Phantom Secure, a pioneer in the underground industry, and arrested its CEO Vincent Ramos. Various agencies were involved in a hack of Encrochat in 2020, and then Sky Secure last year. These companies, including Ciphr, have an especially heavy use among drug traffickers and other top tier criminals.

In 2017, someone created a website and dumped sensitive information about Ciphr users, including unique IMEI numbers and email addresses.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

On Thursday the Department of Justice announced a policy shift in that it will no longer prosecute good-faith security research that would have violated the country’s federal hacking law the Computer Fraud and Abuse Act (CFAA).

The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.

“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The policy itself reads that “the Department’s goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”

For decades experts have criticized the broad nature of the CFAA. The Electronic Frontier Foundation, an activist organization, previously said that “Security research is important to keep all computer users safe. If we do not know about security vulnerabilities, we cannot fix them, and we cannot make better computer systems in the future. The CFAA should protect white-hat hackers and give them incentives to continue their important work.”

Andrew Crocker, a senior staff attorney on the EFF’s civil liberties team told Motherboard in a statement “We're pleased to see the Department of Justice recognize the contribution that security research plays in strengthening the security of the entire Internet, everything from messaging and social media applications to financial systems to critical infrastructure. Too often, the specter of the CFAA—with its ill-defined focus on ‘unauthorized access’—deters researchers from discovering and disclosing vulnerabilities in these systems.”

He said that the new policy does not go far enough. “By exempting research conducted ‘solely’ in ‘good faith,’ the policy calls into question work that serves both security goals and other motives, such as a researcher's desire to be compensated or recognized for their contribution. As an agency policy, it does not bind courts and can be rescinded at any time such as by a future administration. And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators. The policy is a good start, but it is no substitute for comprehensive CFAA reform.”

The announcement provided an example of the sort of ‘research’ that would be considered bad faith and could still face charges. “Discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research,’ is not in good faith,” it reads.

The new policy comes into effect immediately and all federal prosecutors who wish to charge cases under the CFAA are required to follow the policy, the announcement adds.

Updated: This piece has been updated to include a statement from the EFF.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.