Bl00dy ransomware gang started using leaked LockBit 3.0 builder in attacks

The recently born Bl00Dy Ransomware gang has started using the recently leaked LockBit ransomware builder in attacks in the wild.

The Bl00Dy Ransomware gang is the first group that started using the recently leaked LockBit ransomware builder in attacks in the wild.

Last week, an alleged disgruntled developer leaked the builder for the latest encryptor of the LockBit ransomware gang.

The latest version of the encryptor, version 3.0, was released by the gang in June. According to the gang, LockBit 3.0 has important novelties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.

The code of the encryptor was leaked on Twitter by at least a couple of accounts, @ali_qushji and @protonleaks1.

The builder is contained in a password-protected 7z archive, “LockBit3Builder.7z,” containing:

• Build.bat;
• builder.exe;
• config.json;
• keygen.exe.

The availability of the builder could allow any threat actor to create its own version of the ransomware customizing it by modifying the configuration file.

Now BleepingComputer first reported that the Bl00Dy Ransomware group started using the Lockbit 3.0 builder to create its own ransomware.

The group in past attacks created its own malware by using leaked builders, such as Babuk and Conti.

Early this week, the researcher Vladislav Radetskiy reported the discovery of a new Bl00Dy Ransomware Gang encryptor that was employed in an attack on a Ukrainian organization. The researchers did not immediately identify the ransomware involved in the attack, it appeared as Conti or LockBit.

MalwareHunterTeam researchers confirmed that the encryptor used in the attack by the Bl00Dy Ransomware group was built using the leaked LockBit 3.0 builder.

BleepingComputer researchers, who tested the Bl00dy Ransomware Gang’s encrypter, confirmed that it was generated with the leaked LockBit 3.0. builder.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Bl00Dy Ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]