One problem with running a ransomware operation along the lines of a regular business is that disgruntled employees might want to sabotage the operation due to a perceived unfairness.
That appears to have been the case for the operators of the prolific LockBit ransomware-as-a-service operation this week, when an apparently disgruntled developer publicly released the encryption code for the latest version of the malware — LockBit 3.0 aka LockBit Black — to GitHub. The development has both negative and potentially positive consequences for security defenders.
An open season for everyone
The public availability of the code means that other ransomware operators – and wannabe operators – now have access to Builder for arguably one of the most sophisticated and dangerous strains of ransomware currently in the wild. As a result, new copycat versions of malware may soon begin circulating, adding to the already chaotic ransomware threat landscape. At the same time, the leaked code gives white-hat security researchers a chance to take apart the builder software and better understand the threat, according to John Hammond, a security researcher at Huntress Labs.
“This leak of the builder software commoditizes the ability to configure, customize and ultimately generate the executables to not only encrypt but decrypt files,” he said in a statement. “Anyone with this tool can launch a full-fledged ransomware operation.”
At the same time, a security researcher can analyze the software and potentially gather intelligence that could prevent further attacks, he noted. “At the very least, this leak gives defenders greater insight into some of the work going on at the LockBit group,” Hammond said.
Huntress Labs is one of several security vendors that have analyzed the leaked code and identified it as being legitimate.
LockBit appeared in 2019 and has since emerged as one of the biggest current ransomware threats. In the first half of 2022, researchers from Trend Micro identified around 1,843 attacks involving LockBit, making it the most prolific ransomware strain the company has encountered this year. A previous report from Palo Alto Networks’ Unit 42 threat research team described the previous version of the ransomware (LockBit 2.0) as accounting for 46% of all ransomware breach incidents in the first five months of the year. Security identified the leak site for LockBit 2.0 as a list of 850 victims in May. Since the release of LockBit 3.0 in June, attacks involving the ransomware family have increased by 17%, according to security vendor Sectrio.
LockBit’s operators have portrayed themselves as a professional outfit focused mainly on organizations in the professional services, retail, manufacturing and wholesale sectors. The group has stated that it does not attack healthcare units and educational and charitable institutions, although security researchers have observed groups that use ransomware do so anyway.
Earlier this year, the group gained attention when it even announced a bug bounty program offering rewards to security researchers who found problems with its ransomware. The group is said to have paid $50,000 in reward money to a bug hunter who reported a problem with its encryption software.
Azim Shukuhi, a researcher at Cisco Talos, says the company has looked at the leaked code and all indications are that it is the legitimate builder of the software. “In addition, social media and comments from the LockBit admin themselves indicate that the builder is genuine. It allows you to assemble or build a personal version of the LockBit payload along with a key generator for decryption,” he says.
However, Shukuhi has some doubts about how much the leaked code will benefit defenders. “Just because you can reverse-engineer the builder doesn’t mean you can stop the ransomware itself,” he says. “Also, in many circumstances, by the time the ransomware is deployed, the network has been completely compromised.”
Following the leak, LockBit’s authors are also likely hard at work rewriting the builder to ensure that future versions are not compromised. The group is also likely dealing with fire damage from the leak. says Shukuhi.
Huntress Hammond told Dark Reading that the leak was “definitely an ‘oops’ [moment] and embarrassment to LockBit and their operational security.” But like Shukuhi, he believes the group will simply change their tools and continue as before. Other threat actor groups may use this builder for their own operations, he said. Any new activity around the leaked code will just perpetuate the existing threat.
Hammond said Huntress’ analysis of the leaked code shows that the now-revealed tools could enable security researchers to potentially find flaws or weaknesses in the cryptographic implementation. But the leak does not offer all private keys that can be used to decrypt systems, he added.
“Truthfully, LockBit seemed to brush the problem off as if it were no concern,” Hammond noted. “Their representatives essentially explained that we have fired the programmer who leaked this and assured affiliates and supporters of that business.”