Proliferation of LockBit 3.0 Ransomware Variants: Exploiting a Builder Leak

In a world where cyber threats evolve at an alarming pace, the leak of the LockBit 3.0 ransomware builder in the previous year has proven to be a catalyst for a wave of cybercriminal activity. Originating as a sophisticated ransomware strain, LockBit 3.0’s builder leak has given rise to hundreds of personalized variants, transforming the threat landscape in unexpected ways.

Profile of LockBit 3.0 Ransomware Variant

LockBit 3.0, also referred to as LockBit Black, initially emerged on the scene in June of 2022. Its distinctive features, including encrypted executables, random passwords, and the use of undocumented Windows functions, posed formidable challenges for both security analysts and automated defense mechanisms. However, the turning point came in September of the same year when the builder of LockBit 3.0 was inadvertently released into the wild. This unintentional disclosure provided cybercriminals with an unprecedented opportunity to craft tailor-made ransomware strains.

Two distinct versions of the leaked builder emerged, each exhibiting subtle variations. Subsequently, threat actors began exploiting these customized LockBit variants, deviating from the modus operandi of the original LockBit group. The alterations extended to aspects such as ransom notes and communication channels, effectively obscuring the familiar patterns associated with LockBit attacks.

One cybersecurity company’s global emergency response team delved deep into this phenomenon, scrutinizing the leaked builder to uncover its underlying architecture, encryption methods, and configuration parameters. Through meticulous analysis, researchers gained insight into the intricate design of the builder, shedding light on the mechanics behind the assembly of ransomware strains, the safeguarding of payloads, and the setup of behavior-regulating parameters.

The ramifications of this breach were manifold. The barrier to entry for the LockBit group was obliterated, and their once-guarded techniques, tactics, and procedures (TTPs) were laid bare. Law enforcement agencies capitalized on this newfound comparative data to tighten their pursuit of the LockBit group and its affiliates. The landscape of ransomware attacks became increasingly competitive, as rivals and imitators leveraged the leaked builder to launch their own campaigns.

Among the intriguing revelations is the emergence of a variant that deployed a divergent ransom demand procedure. This variant confirmed as LockBit, featured a ransom note attributed to the fictitious “National Hazard Agency.” Strikingly different from the LockBit group’s usual approach, this note explicitly demanded a specific ransom amount ($3 million) and provided email and chat contact details for negotiation. In contrast, the LockBit group maintained its distinct communication and negotiation platform.

Upon analyzing nearly 400 samples of the malware, researchers observed that a notable portion—77 out of 396 samples—did not include any reference to “LockBit” in their ransom notes. Such deviations from established tactics indicated probable misuse of the builder by actors other than the original LockBit group. Interestingly, most of these samples adhered to the default configuration of the builder, suggesting they were either developed hastily or by less dedicated threat actors.

However, the modifications extended beyond ransom notes. Only a limited number of the analyzed samples featured the command-and-control (C2) communication function enabled, highlighting an intriguing shift away from C2-focused communications. This alteration could signify a diminishing interest in establishing C2 communications using the leaked payloads.

While the LockBit gang’s notoriety continues, this series of events underscores the dynamic nature of cyber threats and the cascading impact of a builder leak. With various threat groups capitalizing on the LockBit 3.0 builder leak to forge their own ransomware variants, the cyber landscape stands at a crossroads, with law enforcement agencies leveraging comparative insights and defenders adapting to the evolving tactics of cyber adversaries. As this cycle of evolution and adaptation persists, it becomes ever more imperative for organizations to remain vigilant, resilient, and proactive in the face of emerging threats. At SpearTip, we will examine companies’ security posture to improve the weak points in their network. Our team engages with companies’ people, processes, and technology to measure the maturity of the technical environments. For all vulnerabilities uncovered, we provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cybersecurity posture. Our cybersecurity awareness training is designed to educate individuals and companies about best cybersecurity practices and to provide the knowledge and skills necessary to protect their systems and data from cyber threats. Our training covers topics such as password security, phishing scams, social engineering, malware, data protection, and network security. By providing cybersecurity awareness training, companies and their employees can better understand the risks of the cyber landscape and develop impactful cybersecurity practices that can reduce the likelihood of cyberattacks.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.