The cybercriminal world was shaken last year when the source code of LockBit 3.0, one of the most popular and successful ransomware strains, was leaked online by a disgruntled developer. The leak exposed the inner workings of the ransomware and allowed anyone with some technical skills to create their own variants and launch their own campaigns.
LockBit 3.0 is a ransomware-as-a-service (RaaS) platform that enables affiliates to rent the ransomware and use it to encrypt the files of their victims, demanding a ransom in exchange for the decryption key. LockBit 3.0 was released in 2022 by the LockBit group, which claimed to have improved the encryption speed, stealth, and evasion techniques of the previous versions.
According to a report by Malwarebytes1, the leaked builder consists of four files: a key generator, a builder executable, a configuration file, and a batch file. The configuration file allows the operator to customize various aspects of the ransomware, such as the command and control server, the processes to terminate, the ransom note, and more.
Since the leak, security researchers have observed hundreds of new LockBit variants that were created using the builder. Kaspersky2 detected a modified version of LockBit that was deployed by a group calling itself NATIONAL HAZARD AGENCY, which specified the ransom amount and used a different communication channel than the original LockBit.
Other variants have changed the ransom note or removed any mention of LockBit altogether, trying to distance themselves from the original group. Some of these variants may be used by new or inexperienced actors who want to take advantage of the ready-made ransomware, while others may be fake packages that infect the operator instead of building the ransomware.
The leak of LockBit 3.0 builder has serious implications for the cybersecurity landscape, as it could lead to a surge of ransomware attacks targeting various sectors and organizations. According to a security advisory by CISA3 and its partners, LockBit has stolen approximately $91 million from US victims since 2020 and compromised about 1,700 US organizations in the last three years.
The advisory also provides some recommendations for mitigating the threat of LockBit and other ransomware variants, such as securing remote access, applying security updates, enforcing the principle of least privilege, segmenting networks, deploying endpoint detection and response (EDR) solutions, backing up data offline, and preparing a disaster recovery plan.
Ransomware is one of the most pervasive and damaging cyber threats today, and the leak of LockBit 3.0 builder could make it even more widespread and diverse. Organizations and individuals should take all necessary steps to protect themselves from this menace and avoid paying ransoms that only fuel the criminal economy.
