The leak of the LockBit 3.0 ransomware builder in September 2022 has had significant consequences, leading to the development of personalized variants by various criminal organizations [3]. These customized versions [2] [8], created using the leaked builder tool [4] [5], have resulted in a surge of attacks on multiple organizations. This highlights the versatility of the leaked builder tool and presents new challenges for security analysts and defense systems.
Description
The leak of the LockBit 3.0 ransomware builder in September 2022 resulted in the development of numerous personalized variants by various criminal organizations, including the National Hazard Agency [8], Bl00dy [1] [7] [8], and Buhti [1] [7]. These customized versions [2] [8], created using the leaked builder tool [4] [5], have led to a surge in attacks on multiple organizations. Interestingly [5], some of these attacks do not mention LockBit in the ransom note, suggesting the involvement of a different group [3]. This highlights the versatility of the leaked builder tool, which allows cybercriminals to create their own versions of LockBit, resulting in different ransom notes and variations in how the ransomware is used [3]. Consequently, security analysts and defense systems face new challenges in combating these evolving threats.
Kaspersky researchers quickly responded to the leak and discovered new variations of the malware. One of these variants, confirmed as LockBit [8], had a distinct ransom demand procedure and was attributed to the National Hazard Agency. This particular variant stood out because the LockBit group typically uses their own communication platform. Additionally, other threat groups identified using LockBit 3.0 included Bl00dy and Buhti [8].
The exposure of the builder’s design and techniques through a thorough analysis conducted by Kaspersky’s GERT team provides valuable data for law enforcement and cyber defenders to combat the LockBit group and prevent future infiltrations. The insights gained from the leak also enable the development of better security measures to protect organizations from ransomware attacks.
It is worth noting that the leak of the LockBit 3.0 ransomware builder last year resulted in the creation of numerous new variants. Kaspersky researchers have identified almost 400 unique LockBit samples [4], with 312 of them created using the leaked builder [4] [5] [7]. Some of these samples do not mention LockBit at all in the ransom note [4], suggesting rapid development [5].
LockBit is considered one of the most successful ransomware threats [4], having stolen approximately $91 million from US victims since 2020 [4]. It has successfully compromised around 1,700 American organizations in the last three years [4], with 16% of attacks targeting State [4], Local [4], and Tribunal governments [4]. These statistics underscore the significant impact and widespread reach of LockBit ransomware attacks.
Security researchers have warned that a new wave of LockBit ransomware variants is circulating after the source code used by the ransomware gang was leaked last year [2]. LockBit operates on a ransomware-as-a-service model [2], and its latest version [2], LockBit 3.0 [1] [2] [3] [4] [5] [6] [7] [8], was launched in June 2022 [2]. However, the source code for this release was stolen and shared online [2]. Other ransomware gangs are now using the stolen code to create their own customized versions of the ransomware [2]. Analysis of recent attacks attributed to LockBit revealed that some variants did not include any reference to LockBit in the ransom note [2], indicating the misuse of the builder by other actors [2]. Many of the LockBit variants also did not have the command-and-control communication function enabled [2], suggesting that they were used for encryption attacks only [2]. The leak of the source code has removed barriers for the LockBit group and exposed their weaponized techniques [2], tactics [2], and procedures [1] [2] [5] [8]. However, it also provides law enforcement with comparative data to target the LockBit group and helps cyber defenders prevent infiltration [2].
Kaspersky has identified 396 unique LockBit samples [4] [5] [7], with 312 of them created using the leaked builder [4] [5] [7]. Interestingly, 77 samples did not mention “LockBit” in their ransom notes [5], suggesting rapid development [5]. Another ransomware strain [2] [3] [5], ADHUBLLKA [5], has undergone various iterations since 2019 [5], characterized by changes in encryption techniques [5], ransom notes [1] [2] [3] [4] [5] [7], and communication methods [5]. These iterations are linked to ADHUBLLKA due to common source code and infrastructure elements [5].
Conclusion
The leak of the LockBit 3.0 ransomware builder has had far-reaching consequences [5] [6], resulting in the development of numerous personalized variants and a surge in attacks on organizations. The versatility of the leaked builder tool has presented new challenges for security analysts and defense systems. However, the exposure of the builder’s design and techniques provides valuable data for law enforcement and cyber defenders to combat the LockBit group and prevent future infiltrations [6]. The insights gained from the leak also enable the development of better security measures to protect organizations from ransomware attacks. The ongoing circulation of LockBit ransomware variants and the misuse of the builder by other actors highlight the need for continued vigilance and proactive measures in the fight against ransomware threats.
References
[1] https://www.purevpn.com/blog/news/lockbit-3-0-arising-with-new-variants/
[2] https://siliconangle.com/2023/08/28/lockbit-ransomwares-stolen-source-code-fuels-new-threat-variants/
[3] https://www.techzine.eu/news/security/110621/lockbit-thieves-have-become-victims-of-robbery-themselves/
[4] https://www.techradar.com/pro/security/a-whole-new-generation-of-lockbit-ransomware-could-be-here
[5] https://www.blackhatethicalhacking.com/news/explosion-of-new-variants-triggered-by-lockbit-3-0-ransomware-builder-leak/
[6] https://www.infosecurity-magazine.com/news/lockbit-3-variants-surge-post/
[7] https://www.cryptus.in/hackingnews/a-leak-from-the-lockbit-3-0-ransom-builder-has-produced-hundreds-of-new-different-kinds/
[8] https://www.scmagazine.com/news/lockbit-code-leak-sparks-wave-of-raas-attacks
