LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants
The leak of the LockBit 3.0 ransomware builder last year has led to threat actors abusing the tool to spawn new variants.
Russian cybersecurity company Kaspersky said it detected a ransomware intrusion that deployed a version of LockBit but with a markedly different ransom demand procedure.
"The attacker behind this incident decided to use a different ransom note with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY," security researchers Eduardo Ovalle and Francesco Figurelli said.
The revamped ransom note directly specified the amount to be paid to obtain the decryption keys, and directed communications to a Tox service and email, unlike the LockBit group, which doesn't mention the amount and uses its own communication and negotiation platform.
NATIONAL HAZARD AGENCY is far from the only cybercrime gang to use the leaked LockBit 3.0 builder. Some of the other threat actors known to leverage it include Bl00dy and Buhti.
Kaspersky noted it detected a total of 396 distinct LockBit samples in its telemetry, of which 312 artifacts were created using the leaked builders. As many as 77 samples make no reference to "LockBit" in the ransom note.
"Many of the detected parameters correspond to the default configuration of the builder, only some contain minor changes," the researchers said. "This indicates the samples were likely developed for urgent needs or possibly by lazy actors."
The disclosure comes as Netenrich delved into a ransomware strain called ADHUBLLKA that has rebranded several times since 2019 (BIT, LOLKEK, OBZ, U2K, and TZW), while targeting individuals and small businesses in exchange for meager payouts in the range of $800 to $1,600 from each victim.
Although each of these iterations come with slight modifications to encryption schemes, ransom notes, and communication methods, a closer inspection has tied them all back to ADHUBLLKA owing to source code and infrastructure similarities.
"When a ransomware is successful out in the wild, it is common to see cybercriminals use the same ransomware samples — slightly tweaking their codebase — to pilot other projects," security researcher Rakesh Krishnan said.
"For example, they may change the encryption scheme, ransom notes, or command-and-control (C2) communication channels and then rebrand themselves as a 'new' ransomware."
Ransomware remains an actively evolving ecosystem, witnessing frequent shifts in tactics and targeting to increasingly focus on Linux environments using families such as Trigona, Monti, and Akira, the latter of which shares links to Conti-affiliated threat actors.