LockBit ransomware builder leaked online by “angry developer”

The LockBit ransomware operation has experienced a security breach, purportedly involving a disgruntled developer who has disclosed the builder for the gang’s latest encryption tool.

Back in June, the LockBit ransomware operation introduced version 3.0 of their encryption tool, known as LockBit Black, following a two-month testing period. This new iteration aimed to “Make Ransomware Great Again” by introducing additional anti-analysis features, launching a ransomware bug bounty program, and implementing new methods of extortion.

However, it now appears that LockBit has fallen victim to a breach, with two individuals, possibly the same person, leaking the LockBit 3.0 builder on Twitter.

LockBit 3.0 builder leaked on Twitter

A recently registered Twitter user going by the name ‘Ali Qushji’ claims that their team hacked LockBit’s servers and came across a builder for the LockBit 3.0 ransomware encryptor, as reported by security researcher 3xp0rt.

Following 3xp0rt’s tweet about the leaked LockBit 3.0 builder, VX-Underground revealed that on September 10th, they were contacted by a user named ‘protonleaks,’ who also shared a copy of the builder.

However, LockBitSupp, the public representative of the LockBit operation, countered these claims by asserting that they were not hacked. Instead, they disclosed that a disgruntled developer within their ranks had leaked the private ransomware builder. VX-Underground shared this information, stating, “We reached out to Lockbit ransomware group regarding this and discovered this leaker was a programmer employed by Lockbit ransomware group. They were upset with Lockbit leadership and leaked the builder.”

Multiple security researchers interviewed by BleepingComputer have verified the legitimacy of the builder.

Irrespective of how the private ransomware builder was exposed, this incident represents a significant setback for the LockBit ransomware operation. It also poses a heightened threat to enterprises, as it is expected that more threat actors will exploit this builder to conduct their own attacks.

The leaked LockBit 3.0 builder enables individuals to swiftly create the necessary executables for launching their operations. This includes an encryptor, decryptor, and specialized tools for initiating the decryptor in specific manners.

The builder encompasses four essential files: an encryption key generator, a builder module, an adaptable configuration file, and a batch file designed to compile all of these components.

The provided ‘config.json’ file offers a high degree of customization for the encryptor. It allows for the alteration of the ransom note, adjustment of configuration settings, selection of processes and services for termination, and even the specification of the command and control server to which the encryptor will transmit data.

Through modifications to the configuration file, any threat actor can tailor it to suit their specific requirements, including linking the ransom note to their infrastructure.

Upon execution of the batch file, the builder facilitates the creation of all necessary files, streamlining the process for launching a successful ransomware campaign.

It’s noteworthy that this builder is not the first instance of ransomware builder or source code leakage online. Such incidents have historically led to an upsurge in attacks by other threat actors who seize the opportunity to initiate their operations.

In June 2021, the Babuk ransomware builder was exposed, enabling anyone to craft encryptors and decryptors for Windows and VMware ESXi. Subsequently, other threat actors leveraged this tool in their attacks.

In March 2022, when the Conti ransomware operation experienced a data breach, its source code became public. The source code was swiftly utilized by the NB65 hacking group to execute ransomware attacks, primarily targeting entities in Russia.

Attention: CLICK HERE to follow our facebook page