Scroll Top

LockBit 3.0 Ransomware builder leak sparks proliferation of new variants


The cyber threat landscape has witnessed a surge in ransomware attacks, driven in part by the leak of the LockBit 3.0 ransomware builder, resulting in a proliferation of new variants. Russian cybersecurity firm Kaspersky has identified multiple instances of threat actors exploiting this leaked tool to create distinct variations of the notorious LockBit ransomware. The repercussions of this leak have given rise to a range of tactics and ransom note modifications, including the emergence of a previously unknown group named “NATIONAL HAZARD AGENCY.”

Kaspersky’s experts, Eduardo Ovalle and Francesco Figurelli, uncovered a significant development in ransomware operations where attackers utilized a different ransom note format with explicit ransom demands. Unlike the traditional LockBit group, which relied on their proprietary communication platform and did not mention specific ransom amounts, this new wave directly stated the ransom sum required for decryption keys. Communication instructions were directed toward a Tox service and email associated with the aforementioned NATIONAL HAZARD AGENCY.

The LockBit 3.0 builder leak has had far-reaching consequences, enabling various cybercriminal groups, including Bl00dy and Buhti, to leverage the leaked tool for their illicit activities. Kaspersky’s telemetry revealed a staggering 396 distinct LockBit samples, with 312 of them traced back to the leaked builders. Notably, 77 samples did not reference “LockBit” in their ransom notes, hinting at the tool’s versatility and adaptability for creating ransomware tailored to specific attack scenarios.

The landscape of cyber threats continually evolves, with ransomware actors frequently modifying encryption methods, communication tactics, and ransom demands. Security researcher Rakesh Krishnan noted that successful ransomware campaigns often lead to the reuse of existing ransomware samples, albeit with minor alterations to create an appearance of novelty. This process involves changing encryption algorithms, ransom notes, and command-and-control communication channels, resulting in the rebranding of the ransomware.

While the LockBit 3.0 ransomware builder leak has had a considerable impact, it’s not the only threat vector contributing to the ransomware surge. Ransomware campaigns have also expanded their scope to target Linux environments, employing families such as Trigona, Monti, and Akira. Akira has been associated with attacks utilizing Cisco VPN products as an entry point into enterprise networks. This approach highlights the importance of multi-factor authentication (MFA) and robust security configurations for VPN systems.

Ransomware attacks have intensified, with the Cl0p ransomware group recently breaching over 1,000 organizations through the exploitation of vulnerabilities in the MOVEit Transfer app. U.S.-based entities bore the brunt of these attacks, accounting for 83.9% of corporate victims. This underscores the need for robust cybersecurity measures and proactive defenses to counter the escalating threat.

The evolving threat landscape also underscores the urgency for swift incident response. The median dwell time for ransomware incidents decreased from nine days in 2022 to just five days in the first half of 2023. Moreover, Sophos’ 2023 Active Adversary Report highlighted that ransomware attacks often occur outside traditional working hours, with Fridays and Saturdays being prime attack days.

In summary, the leakage of the LockBit 3.0 ransomware builder has catalyzed a proliferation of new ransomware variants, with threat actors exploiting the tool’s flexibility to adapt their tactics. As ransomware attacks continue to intensify, organizations must remain vigilant and bolster their defenses to thwart these evolving cyber threats.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.