Threat actors have their insider threats, too.
N2K logoSep 22, 2022

A disgruntled LockBit developer seems to have leaked the ransomware's builder.

Threat actors have their insider threats, too.

The builder for LockBit's new encryptor, version 3.0 or "LockBit Black," released just this past June in the criminal-to-criminal market, has been leaked online, BleepingComputer reports. Researcher "3xp0rt" tweeted early this morning that "Unknown person @ali_qushji [which account has been temporarily restricted due to "unusual activity"] said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) Ransomware. You can check it on the GitHub repository https://github.com/3xp0rt/LockBit-Black-Builder..."

LockBit says it was an insider leak, and not an external attack.

After 3xp0rt's tweet, VX-Underground reported that someone using the nom-de-hack "protonleaks" contacted them on September 10th, who at that time had shown them a copy of the builder. It's unclear whether protonleaks and ali_gushji are one person or two people, or whether perhaps their name is really legion. LockBit reached out to VX-Underground to deny that they had been hacked, that the leak was the work of a disgruntled developer unhappy with LockBit's leadership.

The story is interesting in a number of ways, and especially in the way it reveals the way a criminal enterprise apes many of the functions that one finds in a legitimate business. LockBit Black had been tested for two months before its release, and it sported novel modes of extortion and anti-analysis capabilities. Its release was also accompanied by a bug bounty program. And the ransomware-as-a-service gang maintains a support representative, "LockBitSupp," who serves as the public face of the outfit. It was LockBitSupp who contacted VX-Underground to explain that LockBit had experienced an insider breach, not an external hack.

What had upset the leaker or leakers enough to motivate the leak is unclear, but evidently LockBit has some unresolved HR issues.

Kaspersky has a useful overview of LockBit that includes the group's history and some observations about its place in the C2C market.

Industry reaction to the leak.

Some perspective from the security industry was provided by John Hammond, Senior Security Researcher at Huntress:

"Months ago, the LockBit ransomware operators released version 3.0 of their ransomware, dubbed 'LockBit Black,' celebrating new features and functionality to encrypt files faster than before. This leak of the builder software commoditizes the ability to configure, customize, and ultimately generate the executables to not only encrypt but decrypt files. Anyone with this utility can start a full-fledged ransomware operation. 

"Cybercriminal groups that one might consider unsophisticated could use this builder to craft their own ransomware operations, making heavy use of the configurable options. With a simple switch or toggle, changing a "false" to a "true" or vice versa, the encryptor can delete event logs, stop services or processes, potentially move laterally through the network and disable antivirus protections. If a threat actor group had not made their own ransomware strain, this builder can easily be used with a custom ransom note.

"On another note, the security research community can analyze and explore this builder software and potentially garner new threat intelligence that could thwart ransomware operations. At minimum, this leak gives defenders greater insight into some of the work that goes on within the LockBit group.

"LockBit has proclaimed that this leak was not the result of being compromised or having their own servers infiltrated -- it was due to a disgruntled programmer, an employed member of the team, just getting fed up and releasing this tooling publicly. This insight on an "insider threat" offers some interesting takeaways, one being that the LockBit ransomware operation is so sophisticated they have these contracted developers, and they can simply brush off the issue like "we fired him." LockBit's presence in the cybercrime community helped them ease the minds of onlookers, individuals posting in forums wondering "was LockBit hacked?" and clarifying the issue. They are protecting their business, as odd as it is to say.

"Quite frankly, there isn't much that businesses need to do in direct response to this incident. The cliche, trite and saturated "remain vigilant" mantra still rings true... but ransomware and the cybercrime caravan will just continue onwards despite this leak. Business should certainly keep personnel informed and aware of this, if just to foster education and awareness as to what kinds of threats are out there -- but this does not need to be something the industry screams and shouts about, truthfully."