Trending

ee-track">
Link copied!

Alleged Builder of LockBit Black Ransomware Leaked

Cyble Research & Investigation Labs investigates the alleged leak of LOCKBIT Ransomware's builder and the possible implications of this leak.

September 21, 2022 · 3 min read
<strong>Alleged Builder of LockBit Black Ransomware Leaked</strong>

Another Leak Associated with a prominent Ransomware Group

 

Cyble Research and Intelligence Labs (CRIL) came across a newly registered Twitter user claiming that their team managed to hack several LockBit servers and acquired a builder of LockBit 3.0 ransomware, also known as “LockBit Black”. This user has leaked the alleged builder for free on Twitter.

LockBit is the most active ransomware group and has over 1000 publicly disclosed victims to date. This ransomware group has evolved quickly and is currently operating version 3.0.

LockBit ransomware operates on a Ransomware-as-a-Service model where the developer leases out their application to affiliates in return for a certain percentage of the ransom earnings.

Figure 1 LockBit Builder Leaked on Twitter
Figure 1 – LockBit Builder Leaked on Twitter

 

The user posted multiple replies on various ransomware-related posts on Twitter and shared the download link of the LockBit builder. The user appears to have joined Twitter recently, and it is possible that this account was created for the express purpose of leaking the LockBit ransomware builder.

Figure 2 Twitter Profile
Figure 2 – Twitter Profile

 

The leaked zip file contains a folder named “Build,” two executables, one batch, and one JSON file, as shown in the below figure. The builder does not have a Graphical User Interface (GUI) and executes via batch file.

Figure 3 Leaked Files
Figure 3 – Leaked Files

 

The execution workflow is as follows:

  • The “Build.bat” file executes “keygen.exe” and “builder.exe.”  
  • “Keygen.exe” is used to generate cryptographic keys.
  • “Builder.exe” creates the payload, decryptor, .txt, and other DLL files and saves them to a folder named “Build”.

The figure below shows the files generated by “builder.exe”

 

Figure 4 Files Generated by Builder
Figure 4 – Files Generated by Builder

 

“Builder.exe” uses the “config.json” file to customize the payload as per the Threat Actor’s (TAs) requirement. The configuration file contains various features such as encrypt_mode, encrypt_filename, impersonation, etc.

Additionally, the TAs can define files, folders, and extension names to be excluded from the encryption process. The language check can also be enabled in the config file to exclude CIS (Commonwealth of Independent States) countries.

Apart from these, the configuration file also contains a ransom note. The figure below shows the configuration file.

 

Figure 5 Configuration File
Figure 5 – Configuration File

 

We tested both the ransomware payload and decryptor generated using the builder. The binary was able to encrypt files, and the decryption process was successful using the decryptor. The below figure shows the ransomware encryption and decryption phases.

Figure 6 Encryption Decryption Phase
Figure 6 – Encryption-Decryption Phase

 

Conclusion

 

The profile behind this leak has not mentioned anything regarding the intent behind the leak. Such leaks can result in the emergence of new Threat Groups, as they can modify leaked files to carry out attacks.

Cyble Research and Intelligence Labs has witnessed a similar incident in the past when the internal data of the Conti ransomware group was leaked on Twitter. This incident is in the initial stage, and it is not yet certain how it might evolve.

Our Recommendations

 

With Threat Actors and their TTPs increasing in sophistication, the industry is still searching for the proverbial silver bullet to counter this cyber threat. However, there are a few cybersecurity measures that we strongly recommend to organizations to reduce the likelihood of a successful attack:

  • Define and implement a backup process and secure those backup copies by keeping them offline or on a separate network
  • Enforce password change policies for the network and critical business applications or consider implementing multi-factor authentication for all remote network access points
  • Reduce the attack surface by ensuring that sensitive ports are not exposed to the Internet
  • Conduct cybersecurity awareness programs for employees and contractors
  • Implement a risk-based vulnerability management process for IT infrastructure to ensure that critical vulnerabilities and security misconfigurations are identified and prioritized for remediation
  • Instruct users to refrain from opening untrusted links and email attachments without verifying their authenticity
  • Deploy reputed anti-virus and internet security software package on your company-managed devices, including PCs, laptops, and mobile devices
  • Turn on the automatic software update features on computers, mobiles, and other connected devices wherever possible and pragmatic
  • Monitor darkweb activities for early indicators and threat mitigation.

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams