Hacking

Leaked LockBit 3.0 ransomware builder used by multiple threat actors

The leak of the source code of the LockBit 3.0 ransomware builder in 2022 allowed threat actors to create new variants of the threat.

Lockbit v3, aka Lockbit Black, was detected in June 2022, but in September 2022 a builder for this variant was leaked online. The availability of the builder allowed anyone to create their own customized version of the ransomware. At least two different Twitter users (@protonleaks and @ali_qushji) published the files needed to create different flavors of this ransomware, Kaspersky researchers observed.

The analysis of the timestamp revealed that the binary, builder.exe, was slightly different in both leaks. “The version from protonleaks registers the compilation date 2022/09/09. Meanwhile, the version from ali_qushji was compiled on 2022/09/13. A similar difference in compilation time was identified in the malware’s template binaries (embedded and incomplete versions of the malware used to build the final version ready for distribution).” reads the analysis published by Kaspersky.

Shortly after the leak of the builder, Kaspersky researchers found a variant of Lockbit 3 ransomware during an incident response.

This ransomware variant was deployed using a different ransom note, with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY.

LockBit 3.0 ransomwareLockBit 3.0 ransomware

The ransom note included the amount to be paid to obtain the decryption keys, and directed communications to a Tox service and email, unlike the Lockbit group, which relies on its own negotiation platform.

Other threat actors also employed this variant in their attacks, such as Bl00dy and Buhti.

Kaspersky analyzed 396 distinct samples, most of them (312) were created by the leaked builders, but researchers also spotted samples created by other unknown builders dated June and July 2022.

The experts noticed that many of the detected parameters correspond to the default configuration of the builder, but only some contain minor changes. This circumstance suggests that these samples were likely developed for urgent needs or possibly by lazy actors.

Most of the samples encrypt local disks and network shares, avoiding hidden folders, and do not enable the system shutdown option.

The experts noticed that network deployment by PSEXEC is configured in 90% of the samples, while deployment by GPO is configured in 72%. One a limited number of samples enable communication to C2.

“Finally, some statistics relate to the usage of leaked builders by actors other than the “original” Lockbit. We found that 77 samples make no reference to a “Lockbit” string (case-insensitive) in the ransom note, which is quite unexpected according to LB TTP.” concludes the report. “The modified ransom note without reference to Lockbit or with a different contact address (mail/URL) reveals probable misuse of the builder by actors other than the “original” Lockbit.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Yale New Haven Health (YNHHS) data breach impacted 5.5 million patients

Yale New Haven Health (YNHHS) announced that threat actors stole the personal data of 5.5…

2 hours ago

Crooks exploit the death of Pope Francis

Crooks exploit the death of Pope Francis, using public curiosity and emotion to launch scams…

7 hours ago

WhatsApp introduces Advanced Chat Privacy to protect sensitive communications

WhatsApp adds Advanced Chat Privacy feature that allows users to block others from sharing chat…

9 hours ago

Android spyware hidden in mapping software targets Russian soldiers<gwmw style="display:none;"></gwmw>

A new Android spyware was discovered in a fake Alpine Quest app, reportedly used by…

14 hours ago

Crypto mining campaign targets Docker environments with new evasion technique

New malware campaign targets Docker environments using unknown methods to secretly mine cryptocurrency, researchers warn.…

1 day ago

The popular xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack

The xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack aimed at stealing…

1 day ago