In June 2022, Lockbit v3, also known as Lockbit Black, emerged as a ransomware variant. However, by September 2022, the builder for this version was leaked online, enabling anyone to generate customized iterations of the ransomware. Two Twitter users, namely @protonleaks and @ali_qushji, shared the necessary files to create different versions of Lockbit Black. Researchers analyzed the leaked files and observed subtle differences in the builder.exe binary, with one version dated September 9, 2022, and the other compiled on September 13, 2022.
Soon after the builder leaked, researchers encountered an instance of the Lockbit 3 ransomware during an incident response. This variant of Lockbit 3 featured a distinct ransom note with a headline linked to an unfamiliar group called “NATIONAL HAZARD AGENCY.” The ransom note specified the ransom amount for obtaining decryption keys and provided instructions for communication through a Tox service and email. This contrasted with the original Lockbit group’s approach, which relies on its negotiation platform.
Several other threat actors, including Bl00dy and Buhti, also adopted this variant in their attacks. The analysis involved examining 396 distinct samples, primarily created by the leaked builders (312 samples). Additionally, the researchers identified samples generated by other unidentified builders in June and July 2022.
Many of the identified parameters aligned with the default configuration of the builder, although minor alterations were present in some samples. This suggests that these variations might have been hastily developed for urgent requirements or potentially by less motivated threat actors.
The majority of the samples encrypted local disks and network shares while avoiding hidden folders and omitting the system shutdown option. Interestingly, network deployment via PSEXEC was configured in 90% of the samples, and deployment by GPO was set up in 72% of cases. A limited number of samples enabled communication to command-and-control (C2) servers.
Researcher’s findings also revealed a significant point related to the use of leaked builders by actors other than the original Lockbit group. Approximately 77 samples lacked any reference to the “Lockbit” string in their ransom notes. This unexpected finding, along with modified ransom notes that omitted the Lockbit reference or included different contact information (email/URL), indicated the likelihood of the builder being misused by entities other than the authentic Lockbit group.