Cybercriminals Harness Leaked LockBit Builder in Wave of New Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Cybercriminals Harness Leaked LockBit Builder in Wave of New Attacks


Enterprising, or simply lazy, cybercriminals are using Lockbit v3 to cut corners on ransomware.



Threat actors are using and customizing leaked Lockbit code to carry out their own ransomware attacks.
Lockbit is arguably
the worlds leading ransomware-as-a-service (RaaS) operation
. Last June, it
revealed its latest version 3 malware
(also referred to as Lockbit Black), promising to make ransomware great again. And it followed through — the latest iteration significantly upgraded on its already powerful predecessors, most notably with
sophisticated anti-analysis protections
. The third Lockbit has since been deployed in major campaigns, like the recent attack against
the largest port in Japan
.
Not all Lockbit attacks are carried out by Lockbit or its affiliates, however. After a developer
leaked two versions of the builder code for Lockbit v3
last September, unaffiliated cybercriminals now appear to be adopting the cyber undergrounds premier malware-making tool for their own ends.
Its very common for other hackers to take advantage of ransomware and other malware programs once the toolkit or source has leaked. Most hackers are lazy and they will take the quickest, shortest route to ill-gotten gains, said Roger Grimes, data-driven defense evangelist at KnowBe4, in a statement sent to Dark Reading.
Last Fall, researchers from Kaspersky observed a cyber intrusion using a variant of Lockbit v3 to encrypt an organizations critical systems. But the nature of the attack was not at all aligned with Lockbits M.O.
In a ransom note, the perpetrators identified themselves as the National Hazard Agency. Their message was par for the course — your data are encrypted, if you do not pay the ransom we will attack your company repeatedly again, etc. They included an email and instant messaging contact details, and demanded $3 million paid in Bitcoin or Monero. (Major RaaS like Lockbit use their own bespoke platform for negotiating with victims.)
Other researchers observed
other groups using Lockbit
around this time, but with their own twist on the ransom note, like in the low-grade example below:
To determine how many unaffiliated actors were doing this, Kaspersky researchers recently
analyzed 396 observed Lockbit builder samples
from the wild. Of those, 77 made no reference to Lockbit or used different contact information in their associated ransom notes, indicating the culpability of unaffiliated actors.
According to Kaspersky, most Lockbit adopters targeted local disks or network shares, enabling the kill service, kill process, kill defender, delete logs, and self-destruct parameters in the malware. Most did not enable the system shutdown parameter, and very few utilized communication with a command-and-control server.
Besides these rather minor customizations, Lockbit adopters made few changes to the malware itself.
Many of the detected parameters correspond to the default configuration of the builder, only some contain minor changes. This indicates the samples were likely developed for urgent needs or possibly by lazy actors, the researchers explained.

Last News

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cybercriminals Harness Leaked LockBit Builder in Wave of New Attacks