An analysis by Kaspersky researchers shows several other threat groups took advantage of the leak of the LockBit 3.0 builder to create their own customized version of the ransomware and deploy it in extortion campaigns.
In an Aug. 25 post, Eduardo Ovalle and Francesco Figurelli from Kaspersky’s Global Emergency Response Team (GERT) said it did not take long after the September 2022 leak for new variations of the malware to appear.
“Immediately after the builder leak, during an incident response by our GERT team, we managed to find an intrusion that leveraged the encryption of critical systems with a variant of Lockbit 3 ransomware,” the researchers said.
“Although this variant was confirmed as Lockbit, the ransom demand procedure was quite different from the one known to be implemented by this threat actor.”
In the ransom note examined by GERT, the extortionists called themselves the National Hazard Agency, a previously unknown group.
The note also stood out because it included a specific ransom demand ($3 million) for the keys to decrypt the victim’s files, and provided email and chat contact details. In contrast, the LockBit group use their own communication and negotiation platform to interact with their victims.
Other threat groups identified using LockBit 3.0 included Blacktail's Buhti ransomware operation, the Bl00dy ransomware gang, and GetLucky.
How the leaked malware was modified
To build up a picture of how LockBit 3.0 was being deployed, and by whom, the Kaspersky researchers analyzed 396 distinct samples of the malware.
“The objective of this analysis is to understand the parameters applied by different actors to build the malware as configured in samples detected in the wild,” Ovalle and Figurelli said.
They found 77 of the 396 samples did not include any reference to “LockBit” in their ransom note. Such an omission of the name would be “quite unexpected” in terms of the gang’s usual tactics, techniques and procedures, the researchers said.
“The modified ransom note without reference to Lockbit or with a different contact address (mail/URL) reveals probable misuse of the builder by actors other than the ‘original’ Lockbit,” they said.
Aside from the amended ransom notes, the samples showed few changes being made to the leaked malware.
“Many of the detected parameters correspond to the default configuration of the builder, only some contain minor changes. This indicates the samples were likely developed for urgent needs or possibly by lazy actors.”
While LockBit 3.0 includes functionality to set up a command and control (C2) operation so data can be exfiltrated from victims’ networks, the researchers found “very few” of the samples they analyzed had the C2 communication function enabled.
“No suspicious or malicious domains were identified in the analyzed samples, showing there’s no interest for establishing C2 communications using the leaked payloads,” Ovalle and Figurelli said.
According to Jon DiMaggio, chief security strategist at Analyst1, the LockBit gang is currently struggling with multiple issues that have seen affiliates abandon the organization in favor of its competitors.
“LockBit missed its most recent release date to produce an updated ransomware variant to support its partner affiliates. Instead, it relies on outdated, publicly available ransomware, leaked from its competitors,” said DiMaggio, who spent months covertly investigating the LockBit operation.