LockBit Builder Leak Leads to Flood of Ransomware Variants
The leak 11 months ago of the builder for the LockBit 3.0 ransomware opened the door for any threat actor to create their own customized versions of the malware and they took advantage of the chance.
According to researchers with Kaspersky, they detected a variant of LockBit 3.0 – also known as LockBit Black – in an attack on an organization almost immediately after the leak of two versions of the builder via Twitter (now X) users in September 2022. It was confirmed as LockBit 3.0 code, but with some differences, including around the ransom note.
Since then, the Russian cybersecurity company has discovered 396 distinct samples containing LockBit Black code, mostly developed using the leak builder, Kaspersky researchers Eduardo Ovalle and Francesco Figurelli wrote in a recent report. Having so many variants can make life more difficult for threat hunters trying to nail down the threat they’re looking at.
It was a scenario cybersecurity firm Sectrio predicted, saying the leak of the builder “opens a Pandora’s box of new threats.”
“For a while, everything seemed to be going the way of LockBit 3.0 developers until an alleged disgruntled developer threw a spanner in the works by releasing the code of the encryptor,” the company wrote in a blog post just after the leak was disclosed. “This will enable other ransomware groups to build on the encryptor (or modify it) and launch new and more stealthy variants.”
New Ransomware Groups Given Powerful Tool
The problem is that new ransomware groups could launch their own operations using these modified variants and “such variants could also be re-engineered in academic or research labs and in case these variants are accidentally or deliberately released into the web in the future, then the chain of attacks linked to LockBit 3.0 will continue to worry cyber defenders for months or even years,” Sectrio wrote.
The namesake operators behind LockBit were among the most active ransomware groups in 2022 and Akamai said in a report his month that LockBit and Cl0p – bolstered by is abuse of the MOVEit file transfer system – were the top ransomware threats so far this year.
The group not only runs ransomware campaigns but also a ransomware-as-a-service (RaaS) operation that offers affiliates that use its malware up to 80% of ransoms paid, according to Ovalle and Figurelli.
LockBit 3.0 hit the scene in June 2022 and included features that are challenges for analysts, including encrypted executables with randomly generated passwords, undocumented kernel-level Windows functions, and techniques that make it difficult to reverse-engineer the malware.
LockBit also runs its own bug bounty program.
Variants on the Rise
Three months later, the builder was leaked. The LockBit Black variant that Kaspersky discovered soon after the leak included a lot of the tactics, techniques, and procedures (TTPs) found in LockBit 3.0, such as methods for reconnaissance, enumeration, collection, and deployment.
“Although this variant was confirmed as Lockbit, the ransom demand procedure was quite different from the one known to be implemented by this threat actor,” the researchers wrote. “The attacker behind this incident decided to use a different ransom note with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY.”
The ransom note spelled out the amount the victim needed to pay to get the decryption keys and used a Tox service and email for communications. The LockBit group uses its own negotiation platform and communication methods, Ovalle and Figurelli wrote.
This is similar to what other groups – such as the Bloody ransomware gang and GetLucky – that are leveraging the leaked builder have done, they wrote.
Kaspersky researchers analyzed the leaked builder to understand its construction and to analyze how it is being used by various threat groups to build their own variants. They were able to analyze 396 samples in the wild to learn how other groups were using LockBit’s code.
Many of the parameters essentially were the builder’s default configuration with some minor changes, suggesting “the samples were likely developed for urgent needs or possibly by lazy actors,” they wrote. Few samples enabled communication with a command-and-control (C2) server.
Other analysts also have seen ransomware strains built off the leaked LockBit 3.0 code. Symantec’s Threat Hunter Team in May wrote about a new ransomware operation called Buhti whose payload included variants of not only the leaked LockBit builder but also leaked code from the Babuk ransomware family.
Symantec named the operators behind Buhti “Blacktail.”
“While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated,” the analysts wrote.