Developer Leaks LockBit 3.0 Ransomware-Builder Code

One problem with running a ransomware operation along the lines of a regular business is that disgruntled employees may want to sabotage the operation over some perceived injustice.

That appears to have been the case with the operators of the prolific LockBit ransomware-as-a-service operation this week when an apparently peeved developer publicly released the encryptor code for the latest version of the malware — LockBit 3.0 aka LockBit Black — to GitHub. The development has both negative and potentially positive implications for security defenders.

An Open Season for All

The public availability of the code means that other ransomware operators — and wannabe ones — now have access to the builder for arguably one of the most sophisticated and dangerous ransomware strains currently in the wild. As a result, new copycat versions of the malware could soon begin circulating and adding to the already chaotic ransomware threat landscape. At the same time, the leaked code gives white-hat security researchers a chance to take apart the builder software and better understand the threat, according to John Hammond, security researcher at Huntress Labs.

“This leak of the builder software commoditizes the ability to configure, customize, and ultimately generate the executables to not only encrypt but decrypt files,” he said in a statement. “Anyone with this utility can start a full-fledged ransomware operation.” 

At the same time, a security researcher can analyze the software and potentially garner intelligence that could thwart further attacks, he noted.  “At minimum, this leak gives defenders greater insight into some of the work that goes on within the LockBit group,” Hammond said. 

Huntress Labs is one of several security vendors that have analyzed the leaked code and identified it as being legitimate.

Prolific Threat

LockBit surfaced in 2019 and has since emerged as one of the biggest current ransomware threats. In the first half of 2022, researchers from Trend Micro identified some 1,843 attacks involving LockBit, making it the most prolific ransomware strain the company has encountered this year. An earlier report from Palo Alto Networks’ Unit 42 threat research team…