Developer leaks LockBit 3.0 ransomware build code


One of the problems with running a ransomware operation as part of a regular business is that disgruntled employees may want to sabotage the operation due to perceived unfairness.

This appears to have been the case with the operators of the prolific LockBit ransomware-as-a-service operation this week when a seemingly irate developer released the encryption code for the latest version of the malware – LockBit 3.0 aka LockBit Black – at GitHub. This development has both negative and potentially positive implications for security advocates.

A season open to all

The public availability of the code means that other ransomware operators – and aspiring ones – now have access to the builder for arguably one of the most sophisticated and dangerous strains of ransomware currently in the wild. As a result, new copycat versions of the malware may soon start circulating and adding to the already chaotic ransomware threat landscape. At the same time, the leaked code gives white hat security researchers a chance to disassemble the build software and better understand the threat, according to Huntress Labs security researcher John Hammond.

“This build software leak renders the ability to configure, customize and ultimately build the executables not only to encrypt but also to decrypt the files,” it said in a statement. “Anyone with this utility can start a full fledged ransomware operation.”

At the same time, a security researcher can analyze the software and potentially gather intelligence that could thwart further attacks, he noted. “At a minimum, this leak gives advocates a better look at some of the work going on within the LockBit group,” Hammond said.

Huntress Labs is one of several security vendors that analyzed the leaked code and identified it as legitimate.

Prolific threat

LockBit surfaced in 2019 and has since become one of today’s biggest ransomware threats. In the first half of 2022, Trend Micro researchers identified some 1,843 attacks involving LockBit, making it the most prolific ransomware strain the company has encountered this year. An earlier report from the Palo Alto Networks Unit 42 Threat Research Team described the previous ransomware version (LockBit 2.0) as accounting for 46% of all ransomware breach events in the first five months of the year. Security identified the LockBit 2.0 leak site as listing more than 850 victims in May. Since release of LockBit 3.0 in Juneattacks involving the ransomware family have increased by 17%according to security provider Sectrio.

LockBit operators presented themselves as a professional team focusing primarily on organizations in the professional services, retail, manufacturing, and wholesale industry. The group has vowed not to attack healthcare, educational and charitable institutions, although security researchers have observed that groups using the ransomware do so anyway.

Earlier this year, the band caught the eye even as they announced a bug bounty program offering rewards to security researchers who found issues with its ransomware. The group would have paid $50,000 in reward money to a bug hunter who reported a problem with his encryption software.

Legit code

Azim Shukuhi, a researcher at Cisco Talos, says the company has reviewed the leaked code and everything points to it being the legitimate software vendor. “Furthermore, LockBit’s own social media and admin comments indicate that the builder is real. It allows you to assemble or create a personal version of the LockBit payload with a key generator for the decryption,” he said.

However, Shukuhi is somewhat skeptical of the usefulness of the leaked code for defenders. “Just because you can reverse engineer the builder doesn’t mean you can stop the ransomware itself,” he says. “Additionally, in many circumstances, by the time the ransomware is deployed, the network has been fully compromised.”

Following the leak, the LockBit authors are also likely rewriting the constructor to ensure that future versions won’t be compromised. The group is also likely struggling with brand damage from the leak. Shukuhi said.

In an interview, Huntress ‘Hammond tells Dark Reading that the leak was ‘definitely an ‘oops’ [moment] and embarrassment for LockBit and their operational security. “But like Shukuhi, he thinks the group will just change their tooling and carry on as before. Other threat actor groups can use this builder for their own operations, he says. Any new activity around the leaked code will not than perpetuate the existing threat.

Hammond says Huntress’s analysis of the leaked code shows that the tools now exposed could allow security researchers to potentially find flaws or weaknesses in the cryptographic implementation. But the leak does not offer all the private keys that could be used to decrypt the systems, he adds.

“Honestly, LockBit seemed to ignore the issue like it was not a problem,” Hammond notes. “Their representatives explained, in essence, that we fired the programmer who disclosed this, and assured affiliates and supporters that it was a deal breaker.”

You may also like

Leave a Comment

About Us

Times Global Will keep you updated To the Latest News Around The Globe..

Feature Posts


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Subscribe To our Newsletter

Join our subscribers list and get Latest News directly to your inbox.