LockBit has emerged as the biggest player in the “ransomware as a service” (RaaS) market in the past year. But the group may now be on the ropes as its newly revamped LockBit Ransomware Builder, the tool used to both build ransomware executables and decrypt locked files, is now available to the public via what the group claims is a “disgruntled developer.”
LockBit ransomware will undoubtedly be copied and used by other threat actors in the near term, putting the group’s business at risk. But the leak of the ransomware builder also gives security researchers valuable insights into bolstering the ability of cyber defenses to detect it and into decrypting locked files. The incident may end up finally dethroning LockBit, which became the premier RaaS group after major rivals such as Conti and REvil broke up under law enforcement pressure.
Newly overhauled LockBit ransomware compromised by insider
A new version of the LockBit ransomware (3.0) had just debuted in June, promising its criminal clientele that it would “make ransomware great again” with an assortment of new features. The ransomware builder that has made its way to the public is for this newly revised version, also sometimes called “LockBit Black” by the group.
The ransomware builder first appeared on Twitter on September 21, posted by a newly registered user under the handle “ali_qushji.” The Twitter user claimed that they had hacked several of the LockBit ransomware servers and located the new ransomware builder on one of them. Numerous security researchers examined the ransomware builder and confirmed that it was legitimate.
After this happened, the VX-Underground malware monitoring service came forward to share that a Twitter user by the name of “protonleaks” had privately shared a copy of the ransomware builder with them on September 10. However, this user had a different story; they claimed to be an angry developer leaking the ransomware builder due to differences with the upper echelons of LockBit.
With this tool, anyone with basic knowledge of these types of attacks could immediately create a knockoff service using the authentic LockBit ransomware. The ransomware builder automates all aspects of…