Sometimes the spell turns against the sorcerer. The group behind the LockBit ransomware often leak captured data to extort their victims. But recently, a gang development tool is leaked. Apparently, the action was carried out by a member dissatisfied with the group’s leadership.
It all started when a newly created Twitter account on behalf of Ali Qushji declared that his team had hacked LockBit’s servers. The account also claims that, in the lawsuit, the LockBit 3.0 builder was found on one of the servers.
Such a constructor (or generator) was used to create the 3.0 version of the group encryptor. So codenamed LockBit Black, the tool was tested for two months and released in June.
It may not seem like it, but the leak brings trouble to the gang. With the builder in hand, anyone can create a ransomware campaign with relative ease. O BleepingComputer had access to the tool and says that he even managed to customize the malware’s way of acting.
Also according to the vehicle, the builder is made up of four files: a cryptographic key generator, an editable configuration file (config.json), the builder itself and a batch file. The latter, when executed, generates all the files necessary for the ransomware to take action.
Has LockBit been attacked or not?
It would be a great irony for a ransomware group to have their servers hacked. But, apparently, the leak was the result of a “friendly fire”.
The Ali Qushji account, which publicized the alleged hack, was suspended by Twitter. But a security expert who identifies himself as 3xp0rt shared the tweet with the announcement.
A short time later, an administrator of VX-Underground, an online library of malware code, warned that he had been contacted on September 10 by a person codenamed “protonleaks”. This one offered just a copy of the generator.
So the folks at VX-Underground got in touch with a representative from LockBit. He explained that there was no invasion. The tool was reportedly leaked by a member angry with the group’s leadership, for undisclosed reasons.
The statement does not appear to be an attempt to put a lid on the situation. This is because, if a break-in by an external agent had really taken place, it is likely that many more files would have been leaked, not just the builder.
It’s bad for LockBit and it’s bad for everyone
If, on the one hand, this leak makes LockBit taste its own poison, on the other hand, it leaves the digital security industry on high alert. It’s easy to understand why: with a tool like this circulating around, the trend is for more ransomware actions to appear within a short space of time.
As LockBit is a group that works with the Ransomware as a Service model (when malware is provided for third parties to carry out attacks with it), it makes sense for them that such a generator is relatively easy to use.
It’s just not interesting for the gang that the tool is distributed as if it were free software. For an aggressive group, which already practices up to a Triple extortion strategy against victimsthis is a punch in the stomach, therefore.
Whether the leak will have other consequences, only time will tell. But one thing is for sure: you can’t say that this universe of malware and digital security is boring.