LockBit Ransomware Builder Leaked Online By “Annoyed Developer”

lockbit 3.0 header

The LockBit ransomware operation has suffered a breach, allegedly by a disgruntled developer leaking the builder for the gang’s latest encryptor.

In June, Lockbit ransomware operation Version 3.0 of their encryptor releasedCodenamed Lockbit Black, after two months of testing.

The new version promised ‘Make Ransomware Great Again’, which included new anti-analysis features, a ransomware bug bounty program, and new extortion methods.

However, it looks like Lockbit has suffered a breach, with two people (or perhaps the same person) leaking the Lockbit 3.0 builder on Twitter.

Lockbit 3.0 builder leaked on Twitter

according to security researcher 3xp0rtA newly registered Twitter user named ‘Ali Kushji’ said that his team hacked LockBits servers and found a builder for LockBits 3.0 Ransomware Encryptor.

3xp0rt Tweet

After security researcher 3xp0rt shared a tweet about the leaked LockBit 3.0 builder, VX-Underground shared that he was contacted on 10 September by a user named ‘protonleaks’ who also shared a copy of the builder.

However, VX-Underground says that LockBitSup, the public representative of LockBit operations, claims they were not hacked, but rather leaked to a private ransomware builder by a disgruntled developer.

VX-Underground shared in a now-deleted tweet, “We contacted the Lockbit ransomware group regarding this and found that the leaker was a programmer employed by the Lockbit ransomware group.”

“They were upset with the Lockbit leadership and they leaked it to the builder.”

BleepingComputer has spoken to several security researchers who have confirmed that the builder is legit.

Builder lets anyone start a ransomware gang

Regardless of how the private ransomware builder leaked, it is a serious blow not only to the LockBit ransomware operation but also to the enterprise, which will see an increase in threat actors using it to launch their own attacks.

The leaked LockBit 3.0 builder allows anyone to create the executable they need to launch their own operation, including an encryptor, decrypter, and special tools to launch the decryptor in certain ways.

The builder consists of four files, an encryption key generator, a builder, a modified configuration file, and a batch file to build all the files.

lockbit 3.0 builder
Lockbit 3.0 Builder Files
Source: Bleeping Computer

The included ‘config.json’ can be used to customize an encryptor, including modifying the ransom note, changing configuration options, deciding which processes and services to terminate, and even That is to specify to the command and control server that the encryptor will send the data.

By modifying the configuration file, any threat actor can customize it to their needs and modify the created ransom note to be linked to their own infrastructure.

lockbit 3.0 configuration file
lockbit 3.0 configuration file
Source: Bleeping Computer

When the batch file is executed, the creator will generate all the files needed to launch a successful ransomware campaign, as shown below.

Ransomware executable created by Lockbit 3.0 Builder
Ransomware executable created by Lockbit 3.0 Builder
Source: Bleeping Computer

BleepingComputer tested the leaked ransomware builder and was able to easily adapt it to use our own local command and control server, encrypt our files, and then decrypt them, as shown below.

Demonstrating the creation of the LockBit 3.0 decryptor
Performance of the built-in LockBit 3.0 decryptor
Source: Bleeping Computer

This builder is not the first time a ransomware builder or source code has leaked online, leading to attacks by other threat actors who launched their operations.

In June 2021, Babuk Ransomware Builder was leakedAllows anyone to create encryptors and decryptors for Windows and VMware ESXi, which other threat actors use in attacks.

in March 2022, when Conti ransomware operation suffered a data breachtheir The source code was leaked online Too. this was the source code Quickly used by NB65 hacking group To launch ransomware attack on Russia.

Be the first to comment

Leave a Reply

Your email address will not be published.