The leak of the LockBit 3.0 ransomware builder has triggered a surge in personalized variants, impacting various organizations.
Writing in an advisory published last Friday, Kaspersky researchers Eduardo Ovalle and Francesco Figurelli have provided insights into the consequences of this breach, shedding light on the array of LockBit 3.0 derivatives.
LockBit 3.0, also known as LockBit Black, first emerged in June 2022 and posed challenges for security analysts and automated defense systems due to its encrypted executables, random passwords and undocumented Windows functions.
In September 2022, the uncontrolled leak of the LockBit 3.0 builder surfaced, enabling cyber-criminals to create tailored ransomware strains. Two versions of the builder appeared, each with slight variations. Subsequently, attacks utilizing these customized LockBit variants increased, deviating from the usual LockBit operations in aspects like ransom notes and communication channels.
Read more on LockBit attacks: LockBit Dominates Ransomware World, New Report Finds
Kaspersky’s GERT team conducted an in-depth analysis of the leaked builder. The team examined the builder’s underlying architecture, shedding light on its construction methodology, encryption techniques and configuration parameters.
Through this investigation, the team was able to unravel the complexities of the builder’s design, gaining insights into how it assembles the ransomware strains, secures its payload and configures various parameters that govern its behavior.
“Suddenly, not only is the barrier to entry for the LockBit group removed, but a good deal of their weaponized techniques, tactics and procedures (TTPs) have been exposed,” commented Colin Little, security engineer with threat intelligence provider Centripetal.
“Law enforcement now has a lot of comparative data which will be used to close in around the LockBit group. This will also help cyber defenders prevent infiltration around the LockBit and affiliate TTPs.”