LockBit 3.0 Ransomware Builder Leaked on Twitter

LockBit ransomware builder has become a tool utilized by ransomware gangs in cyber attacks against companies. The new BlooDy Ransomware Gang is among these group using the builder to perpetrate their attacks. Last week, it was unveiled on Twitter that the newest version of this builder - LockBit 3.0 - has been leaked. This updated builder gives any user the ability to build a fully functional encryptor and decryptor - this is an especially helpful feature for a ransomware gang since encryption is the name of the game when it comes to ransomware. Ransomware is when the malicious actors (or ransomware gang) stealthily gains access to a network, usually for a business or company, steals the data that is crucial to the company, and then encrypts it and holds it for ransom.

It is believed that the new ransomware builder variant was "leaked" by a disgruntled developer. The BlooDy Ransomware Gang has already begun using this leaked builder to attack Ukrainian entities. This is not the first time that the LockBit brand has had a breach or leak of one of their builders. Earlier this year, LockBit released a builder that they called LockBit Black which included new features that would be helpful for a ransomware gang such as anti-analysis features and "new and improved" extortion methods to help further perpetrate a ransomware attack on unsuspecting businesses.

This leaked ransomware builder is a very dangerous tool as it give the ability to anyone to create their own ransomware gang. The LockBit 3.0 enables a user to build their attack swiftly and quickly as it comes with everything needed to create a strong ransomware attack. When saying it includes "everything" necessary to build a ransomware attack, that may not be clear to most of us who are not in fact cybercriminals. For those of us who are unsure what this means, the builder includes an encryption key generator, a builder for ransomware, a modifiable or customizable configuration table, and a batch file to build the files.

This explains how a malicious gang online might use the software to perpetrate a ransomware attack, but what does a LockBit 3.0 attack look like to the victims of said attack? First, the LockBit 3.0 infects a victim's device and begins the ransomware process of encrypting the files. This specific ransomware variant takes the stolen files and adds an extension to the encrypted files as “HLjkNskOq”. There is then a command-line argument key known as "-pass" which is then required to carry out the encryption. The LockBit 3.0 encrypts data quicker than other variants, so this process takes less time. The infected user's desktop wallpaper is then changed with a warning to let them know that they are under attack. As with any ransomware attack, if the ransom is not paid up by the victim by a given deadline, the malicious actors will sell the stolen and encrypted data on the dark web, leaving the targeted company without their important internal and customer data.

Image by rawpixel.com for Freepik.