LockBit 3.0 Builder Code Leak Points to Another Disgruntled Criminal Employee
Oct 12, 2022
The recent Conti vs. Monti story (see Intel 471's blog: Conti vs. Monti: A Reinvention or Just a Simple Rebranding?) highlights a simple truth about the cyber underground: we should not discount human emotions driving events in the world of cybercrime. To underscore Conti vs. Monti is likely not a one-off, consider the Lockbit 3.0 builder code leak.
LockBit: one of the world's most dangerous ransomware variants
LockBit is perhaps the world's most prolific ransomware-as-a-service (RaaS). As a RaaS, Lockbit is used and distributed by a plethora of criminal groups and individuals alike. It spreads using spear-phishing emails and stolen VPN and RDP credentials.
Lockbit emerged in 2019 and was called the 'abcd' virus after the .abcd file extension it left on encrypted files. Its purveyors became known as the ABCD group. Since then, the product and group have evolved and changed names. Now known as 'LockBit', the product continues to add new features, capabilities and optimizations, driven by the market and “customer” (ransomware groups) demands.
According to the LockBit 2.0 website - yes, they have their own website - more than 750 victims were affected in 2022 by this ransomware. Additionally, it is claimed by criminals that they have reportedly damaged at least 12,125 companies. One Brazilian-based company reported a revenue loss of $34.8 million and an additional $7.3 million in costs related to mitigating the impact of their Lockbit incident.
LockBit 3.0, the newest upgrade of the ransomware variant, was first “released” in the Spring of 2022. With version 3.0 came new features, including the ability to encrypt and exfiltrate all the files on an infected device. This feature allows the attacker to hold the victim's data hostage while demanding a ransom payment.
LockBit 3.0 ransomware builder code leaked by developer
As with Conti, the LockBit group acts more like a tech startup than a criminal enterprise. They hire developers and testers, pay big salaries and bonuses, recognize star employees, etc. Earlier this year, they even announced a bug bounty program. Reportedly they paid $50,000 in reward money to a bug hunter who found an issue with its encryption software.
On September 21, 2022, an unhappy Lockbit developer released the builder code for LockBit 3.0 to GitHub! This code allows anyone to build a fully functional encryptor and decryptor that threat actors can use for their own personal agendas, such as using the LockBit source code as foundation to build other ransomware programs. There is much speculation about who the leaker is and why they leaked the code. But apparently, the developer had a falling out with the LockBit group. The world found out about the leak via Twitter.
Will LockBit go the way of Conti?
Like the Whack-a-Mole game, RaaS groups surface, inflict attacks, then go quiet, only to resurface in the future. Criminal organizational instability and internal politics account for some of this churn, but law enforcement activities also contribute. Typically, however, when an active group goes dark, they rebrand, evolve, and prepare to strike more targets.
When the Conti files leaked earlier this year, researchers began sifting through that massive heist leaving the Conti group highly exposed. The U.S. State Department offered increased bounties for information on the group. As a result, the entire Conti operation went quiet for months. Recently, however, there is some evidence that Conti may be operating again under the new moniker of ‘Monti”, or their leaked builder has facilitated another ransomware group's operations.
In the case of LockBit 3.0, the builder leak represents terrible news for the LockBit group because any knowledgeable party can build the executables required to launch their own RaaS operation. As a result, second-tier criminal groups and individual actors can develop businesses and launch their own attacks based on this code. But LockBit claims, in a now-deleted tweet, that they are still in business and were not hacked, likely an attempt to save face and preserve the reputation of the ransomware group. So far, there is no sign of disbanding or going quiet, although the leak could result in fewer breaches attributed to Lockbit in the fourth quarter of 2022. Nor is there any discussion of how they intend to deal with those using the builder codes for their own nefarious ends.
The syndicate likely will need to focus attention on modifying the ransomware’s code and the groups’ tactics, techniques and procedures (TTPs), as well as implementing increased operational security (OPSEC) measures.
This story is still playing out.
The human X factor deflating ransomware attacks
Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it is easy to forget that people are running these criminal enterprises. And, as with legitimate organizations, it only takes one malcontent to unravel or disrupt a complex operation. The world is full of white hat researchers armed with the most up-to-date security tools and techniques. But, perhaps, we should consider human vulnerabilities as a vector worth investing in to stop cybercriminals.