Developer Leaks LockBit 3.0 Ransomware-Builder Code

Code could allow other attackers to develop copycat versions of the malware, but it could help researchers understand the threat better as well.

One problem with running a ransomware operation along the lines of a regular business is that disgruntled employees may want to sabotage the operation over some perceived injustice.

That appears to have been the case with the operators of the prolific LockBit ransomware-as-a-service operation this week when an apparently peeved developer publicly released the encryptor code for the latest version of the malware — LockBit 3.0 aka LockBit Black — to GitHub. The development has both negative and potentially positive implications for security defenders.

An Open Season for All

The public availability of the code means that other ransomware operators — and wannabe ones — now have access to the builder for arguably one of the most sophisticated and dangerous ransomware strains currently in the wild. As a result, new copycat versions of the malware could soon begin circulating and adding to the already chaotic ransomware threat landscape. At the same time, the leaked code gives white-hat security researchers a chance to take apart the builder software and better understand the threat, according to John Hammond, security researcher at Huntress Labs.

"This leak of the builder software commoditizes the ability to configure, customize, and ultimately generate the executables to not only encrypt but decrypt files," he said in a statement. "Anyone with this utility can start a full-fledged ransomware operation." 

At the same time, a security researcher can analyze the software and potentially garner intelligence that could thwart further attacks, he noted.  "At minimum, this leak gives defenders greater insight into some of the work that goes on within the LockBit group," Hammond said. 

Huntress Labs is one of several security vendors that have analyzed the leaked code and identified it as being legitimate.

Prolific Threat

LockBit surfaced in 2019 and has since emerged as one of the biggest current ransomware threats. In the first half of 2022, researchers from Trend Micro identified some 1,843 attacks involving LockBit, making it the most prolific ransomware strain the company has encountered this year. An earlier report from Palo Alto Networks' Unit 42 threat research team described the previous version of the ransomware (LockBit 2.0) as accounting for 46% of all ransomware breach events in the first five months of the year. The security identified the leak site for LockBit 2.0 as listing over 850 victims as of May. Since the release of LockBit 3.0 in June, attacks involving the ransomware family have increased 17%, according to security vendor Sectrio.

LockBit's operators have portrayed themselves as a professional outfit focused mainly on organizations in the professional services sector, retail, manufacturing, and wholesale sectors. The group has avowed not to attack healthcare entities and educational and charitable institutions, though security researchers have observed groups using the ransomware do so anyway. 

Earlier this year, the group garnered attention when it even announced a bug bounty program offering rewards to security researchers who found problems with its ransomware. The group is alleged to have paid $50,000 in reward money to a bug hunter who reported an issue with its encryption software.

Legit Code

Azim Shukuhi, a researcher with Cisco Talos, says the company has looked at the leaked code and all indications are that it is the legitimate builder for the software. "Also, social media and comments from LockBit's admin themselves indicate that the builder is real. It allows you to assemble or build a personal version of the LockBit payload along with a key generator for decryption," he says.

However, Shukuhi is somewhat dubious about how much the leaked code will benefit defenders. "Just because you can reverse-engineer the builder doesn’t mean that you can stop the ransomware itself," he says. "Also, in many circumstances, by the time the ransomware is deployed, the network has been fully compromised."

Following the leak, LockBit's authors are also likely hard at work rewriting the builder to ensure that future versions won't be compromised. The group is also likely dealing with brand damage from the leak. Shukuhi says.

In an interview, Huntress' Hammond tells Dark Reading that the leak was "certainly an 'oops' [moment] and embarrassment for LockBit and their operational security." But like Shukuhi, he believes that the group will simply change up their tooling and continue as before. Other threat actor groups may use this builder for their own operations, he says. Any new activity around the leaked code is just going to perpetuate the existing threat.

Hammond says Huntress' analysis of the leaked code shows that the now-exposed tools might enable security researchers to potentially find flaws or weaknesses in the cryptographic implementation. But the leak does not offer all private keys that could be used to decrypt systems, he adds.

"Truthfully, LockBit seemed to brush off the issue as if it was no concern," Hammond notes. "Their representatives explained, in essence, we have fired the programmer who leaked this, and assured affiliates and supporters that business."

Editors' Choice
Evan Schuman, Contributing Writer, Dark Reading
Tara Seals, Managing Editor, News, Dark Reading
Jeffrey Schwartz, Contributing Writer, Dark Reading