Chris Swagler | September 28th, 2022

A breach occurred in the LockBit ransomware operation, with a disgruntled developer leaking the builder for the group’s newest encryptor. After two months of testing, the LockBit ransomware operation released version 3.0 of their encryptor, called LockBit Black. The new version promises to “Make Ransomware Great Again” by introducing new anti-analysis, a bug bounty program, Zcash payment, and new extortion methods. However, it appears that LockBit was compromised, resulting in the leak of the LockBit 3.0 builder.

According to threat intelligence, a newly registered Twitter user says that a team breached LockBit’s servers and discovered a builder for the LockBit 3.0 ransomware operations. After the leak was shared, VX-Underground stated that they were contacted by a user called “protonleaks” that also shared a copy of the builder. However, VX-Underground explained that LockBitSupp, the public representative of the LockBit operation, said that they weren’t breached and that the private ransomware builder was leaked by an internal developer. According to VX-Underground, the LockBit ransomware group was contacted for information and discovered that the leaker was a programmer employed by the LockBit ransomware group. The leaker was upset with LockBit leadership and leaked the builder. Multiple security researchers confirmed that the builder is legitimate.

Whatever method was used to leak the private ransomware builder, it’s a huge blow to not only the LockBit ransomware operation but to the companies, which will see an increase in threat actors using it to launch their own attacks. The leaked LockBit 3.0 builder enables anyone to create the executables needed to conduct their own operations, which includes an encryptor, decryptor, and specialized tools for launching the decryptor in specific ways. The builder is made up of four files: an encryption key generator, a builder, a modifiable configuration file, and a batch file that builds everything.

The “config.json” file can customize an encryptor, which includes altering the ransom note, changing configuration options, deciding which processes and services to terminate, and specifying the command-and-control server to which the encryptor will send data. Threat actors can customize the configuration file to their own needs and modify the generated ransom notes to link their infrastructure by altering the configuration file.

When the batch file is running, the builder generates all the files required to conduct a successful ransomware campaign.

The leaked ransomware builder was tested and easily customized to use a local command and control server so as to encrypt and then decrypt the files.

This isn’t the first time a ransomware builder or source code was leaked online, resulting in increased attacks by other threat actors launching their own operations. The Babuk ransomware builder was leaked in June 2021, allowing anyone to develop encryptors and decryptors for Windows and VMware ESXi and used in ransomware attacks by other threat actors. When the Conti ransomware operation experienced a data breach in March 2022, its source code was also leaked online. The NB65 threat operator group quickly used the source code to conduct ransomware attacks against Russia.

The leaked code can give security researchers the opportunity to dissect the builder software and have a better understanding of the threat. Security researchers can analyze the software and potentially gather information to prevent future ransomware attacks. LockBit is likely going to rewrite the builder ensuring no future compromises occur, which is why it’s important for companies to always remain vigilant of the current threat landscape and regularly keep off-site backups of network data. At SpearTip, our certified engineers are the trusted provider of breach coaches and handle data breaches with one of the fastest response times in the industry. With our 24/7/365 Security Operations Center, the engineers work continuously, in an investigative cycle, monitoring companies’ data networks for potential ransomware threats, including LockBit. The ShadowSpear Platform, our cutting-edge integrable managed detection and response solution, uses unparalleled data normalization and visualizations with comprehensive insights to detect sophisticated unknown and advanced ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.