Threat actors have been found to utilize leaked Lockbit code for their own ransomware attacks. Lockbit is known as one of the world’s leading ransomware-as-a-service (RaaS) operations. It released its latest version, Lockbit v3 or “Lockbit Black,” in June last year with enhanced features and powerful upgrades, including sophisticated anti-analysis protections. The third iteration of Lockbit has already been deployed in major campaigns, such as the recent attack on Japan’s largest port.
However, not all Lockbit attacks are carried out by Lockbit or its affiliates. After a developer leaked two versions of the builder code for Lockbit v3 last September, unrelated cybercriminals started adopting this premier malware-making tool for their own purposes. This is a common occurrence in the cyber underground where hackers take advantage of leaked toolkits or sources to achieve their malicious goals.
Roger Grimes, a data-driven defense evangelist at KnowBe4, stated that “It’s very common for other hackers to take advantage of ransomware and other malware programs once the toolkit or source has leaked. Most hackers are lazy, and they will take the quickest, shortest route to ill-gotten gains.”
In a ransom note observed by Kaspersky researchers, the perpetrators behind a cyber intrusion identified themselves as the “National Hazard Agency,” which deviates from Lockbit’s usual modus operandi. The note contained typical ransom demands and contact details for negotiation, requesting a ransom of $3 million in Bitcoin or Monero. While Lockbit uses its own bespoke platform for negotiations, other groups were also observed using Lockbit around the same time but with their own variations of the ransom note.
To determine the extent of unaffiliated actors using the leaked Lockbit code, Kaspersky recently analyzed 396 Lockbit builder samples from the wild. Out of these, 77 samples made no reference to Lockbit and used different contact information in their ransom notes, indicating the involvement of unaffiliated actors.
According to Kaspersky, most Lockbit adopters targeted local disks or network shares and enabled various parameters in the malware, such as kill service, kill process, kill defender, delete logs, and self-destruct. However, they rarely enabled the system shutdown parameter and only a few utilized communication with a command-and-control server. The researchers found that the malware itself underwent minimal changes, with most parameters corresponding to the default configuration of the builder. This suggests that the samples were likely developed for urgent needs or potentially by lazy actors.
The customization and adaptation of Lockbit code by unaffiliated actors highlight the versatility and accessibility of ransomware tools in the hands of cybercriminals. It also underscores the need for organizations to implement robust security measures to protect against such attacks. As ransomware continues to evolve and adapt, cybersecurity professionals must remain vigilant and proactive in their defense strategies.