The LockBit ransomware operation suffered a breach as a supposedly disgruntled developer leaked the builder of the gang’s latest encryptor.
In June, the LockBit ransomware operation released version 3.0 of its encryptor, named LockBit Black, after testing it for two months.
The new version promised to “make ransomware even better,” adding new anti-scanning features, a ransomware bug bounty program, and new extortion methods.
However, it looks like LockBit has suffered a breach, with two people (or possibly the same person) leaking the LockBit 3.0 builder on Twitter.
LockBit 3.0 builder leaked on Twitter
According to a security researcher 3xp0rta newly registered Twitter user named “Ali Qushji” says his team hacked LockBits servers and found a builder for the LockBit 3.0 ransomware encryptor.
After security researcher 3xp0rt shared the tweet about leaked LockBit builder 3.0, VX-Metro shared that they were contacted on September 10 by a user named “protonleaks”, who also shared a copy of the builder.
However, VX-Underground says that LockBitSupp, the public representative of the LockBit operation, claims that they were not hacked, but rather a disgruntled developer leaked the private ransomware manufacturer.
“We contacted the Lockbit ransomware group about this and discovered that this leak was a programmer employed by the Lockbit ransomware group,” VX-Underground shared in a now-deleted tweet.
“They were upset with Lockbit’s leadership and disclosed the builder.”
BleepingComputer has spoken to several security researchers who have confirmed that the builder is legit.
Builder lets anyone create a ransomware gang
Regardless of how the private ransomware builder was leaked, it’s not just a blow to the LockBit ransomware operation, but also to the company, which will see an increase in the number of malicious actors using it to launch their own attacks.
The leaked LockBit 3.0 builder allows anyone to quickly build the executables needed to launch their own operation, including an encryptor, a decryptor, and specialized tools to launch the decryptor in certain ways.
The generator consists of four files, an encryption key generator, a generator, an editable configuration file, and a batch file to generate all files.
The included “config.json” can be used to customize an encryptor, including changing the ransom note, changing configuration options, deciding which processes and services to terminate, and even specifying the command and server server. control to which the encryptor will send data.
By modifying the configuration file, any malicious actor can customize it according to their own needs and modify the created ransom note to link it to their own infrastructure.
When the batch file is executed, the builder will create all the files needed to run a successful ransomware campaign as shown below.
BleepingComputer tested the leaked ransomware generator and was able to easily customize it to use our own local command and control server, encrypt our files and then decrypt them, as shown below.
This builder is not the first time a ransomware builder or source code has leaked online, leading to increased attacks by other threat actors who have launched their own operations.
In June 2021, the Babuk ransomware generator was leaked, allowing anyone to create encryptors and decryptors for Windows and VMware ESXi, which other threat actors have used in attacks.
In March 2022, when the Conti ransomware operation suffered a data breach, their source code was also leaked online. This source code was quickly used by the NB65 hacking group to launch ransomware attacks against Russia.
#LockBit #ransomware #builder #leaked #online #angry #developer