top of page

LockBit 3.0 Ransomware Builder Leak: Abused by Threat Actors to Spawn New Variants

Ransomware continues to be a significant cybersecurity threat, with the illegal use of the LockBit 3.0 ransomware builder tool escalating in the wake of its leak last year, leading to an influx of new criminal variants. Among the criminal groups exploiting this tool, Russian cybersecurity expert Kaspersky identified a previously unknown group - the NATIONAL HAZARD AGENCY. The unique aspect of this group was its unusual approach to ransom demands, as compared to the modus operandi of the LockBit group. Instead of fluctuating demands and their own exclusive communication and negotiation platform, the NATIONAL HAZARD AGENCY devised a transparent ransom pricing demanding specific payment for decryption keys and employing direct lines of communication to advance negotiations.

This rogue agency wasn't the only group exploiting the leaked LockBit 3.0 builder. Other cybercriminals, such as Bl00dy and Buhti, also used this tool. In total, Kaspersky identified 396 distinct LockBit samples within its telemetry, with 312 originating from the leaked builders. Interestingly, 77 out of these samples avoided mentioning "LockBit" in their ransom demands. This demonstrates that these malicious modifications were often issued quickly, likely due to immediate demands or lazy operations.

Following on from those worrying trends, Netenrich revealed their research into the ADHUBLLKA ransomware strain, known for targeting individuals and small business entities. This ransomware has rebranded multiple times since 2019. Despite alterations in encryption schemes, ransom demands, and communication approaches, experts have traced its lineage back to ADHUBLLKA. This rebranding strategy seems to fall in line with the modus operandi of other cybercriminal groups, as observed by security researcher Rakesh Krishnan. Often, they modify details like the encryption mechanism, ransom notes, or control systems, refashioning them into a 'new' type of ransomware, he said.

On top of this, the cybersecurity landscape is continually adapting. Observations indicate that the focus of cyberattacks is shifting increasingly towards Linux platforms via ransomware families such as Trigona, Monti, and Akira, the latter of which has connections to Conti-affiliated criminals. Akira, in particular, has been implicated in cyber attacks exploiting Cisco VPN products. Of concern is that Cisco has verified that cybercriminals are targeting their VPNs that are yet to implement multi-authentication protocols.

In parallel to these developments, there has been an unprecedented spike in ransom attacks, led by the Cl0p ransomware group. They have reportedly infiltrated over a 1000 organizations, primarily by exploiting the vulnerabilities in the MOVEit Transfer app. The majority of companies affected are based in the U.S., contributing to 83.9% of all corporate victims. This campaign starting in May 2023, has caused disruption to over 60 million individuals, and the fallout is expected to be far greater than this. Preliminary estimates suggest that cybercriminals could illicitly net between $75 million to $100 million from these operations. Furthermore, Sophos' 2023 Active Adversary Report indicates that ransomware operators are working faster, reducing the median dwell time of incidents.

The ever-evolving nature of cybersecurity threats underscores the need for businesses to prioritize their cybersecurity strategies. Ensuring that your company is protected against these evolving threats is fundamental for the sustainability and profitability of your operations.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page