Leaked LockBit 3.0 ransomware builder used by multiple threat actors

The leak of the source code of the LockBit 3.0 ransomware builder in 2022 allowed threat actors to create new variants of the threat.

Lockbit v3, aka Lockbit Black, was detected in June 2022, but in September 2022 a builder for this variant was leaked online. The availability of the builder allowed anyone to create their own customized version of the ransomware. At least two different Twitter users (@protonleaks and @ali_qushji) published the files needed to create different flavors of this ransomware, Kaspersky researchers observed.

The analysis of the timestamp revealed that the binary, builder.exe, was slightly different in both leaks. “The version from protonleaks registers the compilation date 2022/09/09. Meanwhile, the version from ali_qushji was compiled on 2022/09/13. A similar difference in compilation time was identified in the malware’s template binaries (embedded and incomplete versions of the malware used to build the final version ready for distribution).” reads the analysis published by Kaspersky.

Shortly after the leak of the builder, Kaspersky researchers found a variant of Lockbit 3 ransomware during an incident response.

This ransomware variant was deployed using a different ransom note, with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY.

The ransom note included the amount to be paid to obtain the decryption keys, and directed communications to a Tox service and email, unlike the Lockbit group, which relies on its own negotiation platform.

Other threat actors also employed this variant in their attacks, such as Bl00dy and Buhti.

Kaspersky analyzed 396 distinct samples, most of them (312) were created by the leaked builders, but researchers also spotted samples created by other unknown builders dated June and July 2022.

The experts noticed that many of the detected parameters correspond to the default configuration of the builder, but only some contain minor changes. This circumstance suggests that these samples were likely developed for urgent needs or possibly by lazy actors.

Most of the samples encrypt local disks and network shares, avoiding hidden folders, and do not enable the system shutdown option.

The experts noticed that network deployment by PSEXEC is configured in 90% of the samples, while deployment by GPO is configured in 72%. One a limited number of samples enable communication to C2.

“Finally, some statistics relate to the usage of leaked builders by actors other than the “original” Lockbit. We found that 77 samples make no reference to a “Lockbit” string (case-insensitive) in the ransom note, which is quite unexpected according to LB TTP.” concludes the report. “The modified ransom note without reference to Lockbit or with a different contact address (mail/URL) reveals probable misuse of the builder by actors other than the “original” Lockbit.“

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)