The LockBit 3.0 ransomware, also known as LockBit Black, was first identified in June 2022. However, in September of the same year, a builder for this variant was leaked online, enabling anyone to create their own customized version of the ransomware. Notably, two Twitter users, @protonleaks and @ali_qushji, published the files necessary to create different versions of this ransomware, as observed by Kaspersky researchers.
The researchers discovered that the binary, builder.exe, varied slightly between the two leaks. The version from @protonleaks had a compilation date of 2022/09/09, while the version from @ali_qushji was compiled on 2022/09/13. Similar differences in compilation time were found in the malware's template binaries.
Shortly after the leak of the builder, Kaspersky researchers discovered a variant of the Lockbit 3 ransomware during an incident response. This variant was deployed with a different ransom note, attributed to a previously unknown group named NATIONAL HAZARD AGENCY. The ransom note specified the amount required to obtain decryption keys and directed communications to a Tox service and email. This is in contrast to the LockBit group, which uses its own negotiation platform.
Other threat actors, such as Bl00dy and Buhti, have also utilized this variant in their attacks. Out of 396 distinct samples analyzed by Kaspersky, 312 were created by the leaked builders. However, researchers also identified samples created by other unknown builders from June and July 2022.
Many of the detected parameters matched the default configuration of the builder, with only minor changes observed in some samples. This suggests that these samples were likely developed for urgent needs or possibly by less diligent actors. Most of the samples encrypted local disks and network shares, avoiding hidden folders, and did not enable the system shutdown option.
Network deployment via PSEXEC was configured in 90% of the samples, while deployment via GPO was configured in 72%. Only a limited number of samples enabled communication to C2.
The report concluded that 77 samples did not reference a “Lockbit” string (case-insensitive) in the ransom note, which was unexpected according to LB TTP. The modified ransom note without reference to Lockbit or with a different contact address (mail/URL) reveals probable misuse of the builder by actors other than the “original” Lockbit.