LockBit has emerged as the biggest player in the “ransomware as a service” (RaaS) market in the past year. But the group may now be on the ropes as its newly revamped LockBit Ransomware Builder, the tool used to both build ransomware executables and decrypt locked files, is now available to the public via what the group claims is a “disgruntled developer.”
LockBit ransomware will undoubtedly be copied and used by other threat actors in the near term, putting the group’s business at risk. But the leak of the ransomware builder also gives security researchers valuable insights into bolstering the ability of cyber defenses to detect it and into decrypting locked files. The incident may end up finally dethroning LockBit, which became the premier RaaS group after major rivals such as Conti and REvil broke up under law enforcement pressure.
Newly overhauled LockBit ransomware compromised by insider
A new version of the LockBit ransomware (3.0) had just debuted in June, promising its criminal clientele that it would “make ransomware great again” with an assortment of new features. The ransomware builder that has made its way to the public is for this newly revised version, also sometimes called “LockBit Black” by the group.
The ransomware builder first appeared on Twitter on September 21, posted by a newly registered user under the handle “ali_qushji.” The Twitter user claimed that they had hacked several of the LockBit ransomware servers and located the new ransomware builder on one of them. Numerous security researchers examined the ransomware builder and confirmed that it was legitimate.
After this happened, the VX-Underground malware monitoring service came forward to share that a Twitter user by the name of “protonleaks” had privately shared a copy of the ransomware builder with them on September 10. However, this user had a different story; they claimed to be an angry developer leaking the ransomware builder due to differences with the upper echelons of LockBit.
With this tool, anyone with basic knowledge of these types of attacks could immediately create a knockoff service using the authentic LockBit ransomware. The ransomware builder automates all aspects of the attack such as generating encryption keys, targeting specific services and processes, and even allowing for the easy creation of a custom ransom note.
Infighting has plagued other prominent ransomware groups, but LockBit was not particularly known for it prior to now. The breakup of Conti has been attributed in part to some elements of its leadership openly declaring support for Russia in its invasion of Ukraine and an intention to participate in retaliatory strikes, something that other members felt brought unnecessary heat on the otherwise profit-focused operation. LockBit had actually issued a statement in response to this brouhaha declaring that it was apolitical and did not intend to target Western critical infrastructure, apparently seeing the wisdom in avoiding getting entangled with geopolitics.
Leak of ransomware builder could be a crippling blow to LockBit
The LockBit ransomware was first spotted in 2019, and the group has been a leading RaaS outfit for over a year now. Trend Micro has identified nearly 2,000 LockBit ransomware attacks in the first half of 2022 alone, and since the release of LockBit 3.0 the group is thought to account for nearly half of global ransomware incidents.
Could this leak be the end of LockBit ransomware? In the near term, it will likely increase as copycats make use of it. Lockbit’s survival will likely rely on its ability to overhaul the ransomware builder, essentially producing a “4.0” version, that will stand out from this copycat market and put them a step ahead of security researchers again. While the 3.0 code gives security researchers valuable insights that can be put toward improving detection of the LockBit ransomware, it does not contain master decryption “keys to the kingdom” that would allow any victim to easily recover from an attack.
Ransomware gangs are notoriously flexible, and LockBit may well pull all that off. But another possibility is that the group goes the way of others that have suffered a crippling mis-step and rebrand itself, potentially splitting off into smaller groups as Conti recently did.
There is a recent directly comparable case of a ransomware builder being leaked; in June 2021, the Babuk group saw their code posted to GitHub as they announced a “retirement” from the business. As with LockBit’s ransomware builder, the Babuk tool was highly customizable and easy to use. Cyber criminals quickly picked it up and began deploying their own versions of it, but it is hard to say if it contributed to the group’s breakup as it had already announced a shift to a data extortion model. Conti also saw its ransomware builder leaked in March 2022, along with internal chat logs. That did not stop the group from having a highly productive final few months, however, as it remained one of the biggest threats until its dissolution in June.