top of page

Leaked LockBit 3.0 Ransomware Builder Abused by Threat Actors

Last year's leak of the LockBit 3.0 ransomware builder has inadvertently paved the way for cybercriminals to exploit its features, resulting in a new wave of ransomware variations. Kaspersky, a Russian cybersecurity firm, reported an intrusion involving a remodeled LockBit, characterized by a unique ransom demand procedure. The hackers behind this incident branded themselves as "NATIONAL HAZARD AGENCY," setting a new precedent for the ransom note used.

In a sharp divergence from the LockBit group's ransom technique, NATIONAL HAZARD AGENCY specified a definite ransom amount and directed ransom negotiations to a Tox service and an email. This approach starkly contrasts with the prior method where the ransom sum was not specified and only utilized the LockBit group's communication and negotiation platform.

The NATIONAL HAZARD AGENCY is not the lone group that is misusing the leaked LockBit 3.0 builder. Other nefarious entities like Bl00dy and Buhti are known to manipulate it for their evil intentions. According to Kaspersky's telemetry, out of the 396 unique LockBit samples spotted, 312 of them were created using leaked builders. A significant number, as many as 77 samples, does not even reference "LockBit" in their ransom notes.

Netenrich has been closely observing a ransomware variant called ADHUBLLKA, which interestingly has gone through several rebrands since 2019. Surprisingly, despite the constant changes, all paths have led back to ADHUBLLKA due to the striking similarities in source code and infrastructure. It typically targets individual users and small-scale businesses, demanding comparably smaller ransom amounts.

Ransomware continues to demonstrate an ever-shifting nature, regularly altering its tactics and increasingly focusing on Linux environments. Several ransomware families' such as Trigona, Monti, Akira, contribute to this evolution in techniques. Interestingly ones such as Akira have been found to be linked with threat actors associated with Conti and have been reported to misuse Cisco VPN products to illicitly access corporate networks.

With the steady upsurge in ransomware activities, Cl0p ransomware group has successfully breached 1,000 recognized organizations, capitalizing on vulnerabilities in the MOVEit Transfer application. The majority of these breaches have been against U.S.-based entities, affecting around 60 million individuals.

Cybersecurity is an active landscape with attackers persistently striving to innovate in their misdeeds. In the face of this increasing threat, protection of your cyber environment is paramount. At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page