Bl00dy ransomware gang started using leaked LockBit 3.0 builder

Bl00dy ransomware gang started using leaked LockBit 3.0 builder in attacks

Pierluigi Paganini September 28, 2022

The recently born Bl00Dy Ransomware gang has started using the recently leaked LockBit ransomware builder in attacks in the wild.

The Bl00Dy Ransomware gang is the first group that started using the recently leaked LockBit ransomware builder in attacks in the wild.

Last week, an alleged disgruntled developer leaked the builder for the latest encryptor of the LockBit ransomware gang.

The latest version of the encryptor, version 3.0, was released by the gang in June. According to the gang, LockBit 3.0 has important novelties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.

The code of the encryptor was leaked on Twitter by at least a couple of accounts, @ali_qushji and @protonleaks1.

Unknown person @ali_qushji said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) Ransomware. You can check it on the GitHub repository https://t.co/wkaTaGA8y7 pic.twitter.com/cPSYipyIgs
— 3xp0rt (@3xp0rtblog) September 21, 2022

The builder is contained in a password-protected 7z archive, “LockBit3Builder.7z,” containing:

Build.bat;
builder.exe;
config.json;
keygen.exe.

The availability of the builder could allow any threat actor to create its own version of the ransomware customizing it by modifying the configuration file.

Now BleepingComputer first reported that the Bl00Dy Ransomware group started using the Lockbit 3.0 builder to create its own ransomware.

The group in past attacks created its own malware by using leaked builders, such as Babuk and Conti.

Early this week, the researcher Vladislav Radetskiy reported the discovery of a new Bl00Dy Ransomware Gang encryptor that was employed in an attack on a Ukrainian organization. The researchers did not immediately identify the ransomware involved in the attack, it appeared as Conti or LockBit.

Just in case someone will want to know a little bit more about #Bl00dy #Ransomware TTP`s.
Here my unfinished report (in English)https://t.co/DN0CMiuvo8 @vxunderground @malwrhunterteam @James_inthe_box @VK_Intel @TrellixLabs @AdvIntel @demonslay335 @ChristiaanBeek
— VR (@angel11VR) September 26, 2022

MalwareHunterTeam researchers confirmed that the encryptor used in the attack by the Bl00Dy Ransomware group was built using the leaked LockBit 3.0 builder.

So, there is already a ransomware gang that started using the leaked LockBit 3.0 builder: "BL00DY RANSOMWARE GANG".
😫 https://t.co/0uUBYIH7kq pic.twitter.com/Egv88ZY22w
— MalwareHunterTeam (@malwrhunterteam) September 26, 2022

BleepingComputer researchers, who tested the Bl00dy Ransomware Gang’s encrypter, confirmed that it was generated with the leaked LockBit 3.0. builder.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Bl00Dy Ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini July 26, 2025

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

Pierluigi Paganini July 25, 2025