Cybercriminals Harness Leaked LockBit Builder in Wave of New Attacks

Threat actors are using and customizing leaked Lockbit code to carry out their own ransomware attacks.

Lockbit is arguably the world's leading ransomware-as-a-service (RaaS) operation. Last June, it revealed its latest version 3 malware (also referred to as "Lockbit Black"), promising to "make ransomware great again." And it followed through — the latest iteration significantly upgraded on its already powerful predecessors, most notably with sophisticated anti-analysis protections. The third Lockbit has since been deployed in major campaigns, like the recent attack against the largest port in Japan.

Not all Lockbit attacks are carried out by Lockbit or its affiliates, however. After a developer leaked two versions of the builder code for Lockbit v3 last September, unaffiliated cybercriminals now appear to be adopting the cyber underground's premier malware-making tool for their own ends.

"It's very common for other hackers to take advantage of ransomware and other malware programs once the toolkit or source has leaked. Most hackers are lazy and they will take the quickest, shortest route to ill-gotten gains," said Roger Grimes, data-driven defense evangelist at KnowBe4, in a statement sent to Dark Reading.

A Different Face for Lockbit

Last Fall, researchers from Kaspersky observed a cyber intrusion using a variant of Lockbit v3 to encrypt an organization's critical systems. But the nature of the attack was not at all aligned with Lockbit's M.O.

In a ransom note, the perpetrators identified themselves as the "National Hazard Agency." Their message was par for the course — "your data are encrypted," "if you do not pay the ransom we will attack your company repeatedly again," etc. They included an email and instant messaging contact details, and demanded $3 million paid in Bitcoin or Monero. (Major RaaS' like Lockbit use their own bespoke platform for negotiating with victims.)

Other researchers observed other groups using Lockbit around this time, but with their own twist on the ransom note, like in the low-grade example below:

Source: AnyRun

To determine how many unaffiliated actors were doing this, Kaspersky researchers recently analyzed 396 observed Lockbit builder samples from the wild. Of those, 77 made no reference to Lockbit or used different contact information in their associated ransom notes, indicating the culpability of unaffiliated actors.

How Cyberattackers Are Customizing Lockbit

According to Kaspersky, most Lockbit adopters targeted local disks or network shares, enabling the kill service, kill process, kill defender, delete logs, and self-destruct parameters in the malware. Most did not enable the system shutdown parameter, and very few utilized communication with a command-and-control server.

Besides these rather minor customizations, Lockbit adopters made few changes to the malware itself.

"Many of the detected parameters correspond to the default configuration of the builder, only some contain minor changes. This indicates the samples were likely developed for urgent needs or possibly by lazy actors," the researchers explained.