The LockBit ransomware builder (version 3.0) has been leaked online, allegedly by its angry developers. It is suspected that two people (or the same person) leaked the 3.0 builder (also known as LockBit Black) on Twitter. Security researcher 3xp0rt first disclosed that a newly registered Twitter user Ali Qushji (@ali_qushji) claimed that his team had compromised LockBit’s servers and discovered a builder for the LockBit 3.0 encryptor. After this disclosure, research agency vx-underground revealed that they also were contacted by a user known as protonleaks (@protonleaks1) on September 10, who shared a copy of the builder. vx-underground further claims that LockBitSupp, the public representative of LockBit, clarified that the group was not hacked. Instead, a miffed developer had leaked the private ransomware builder code. It was found out that this leaker was a programmer hired by the ransomware group. The programmer was upset with LockBit leadership and leaked the builder in retaliation. The leak of the private ransomware builder is a serious blow to the LockBit ransomware operation. The leaked builder includes a password-protected 7z archive LockBit3Builder.7z. This contains four files: a batch file (build.bat), a builder (builder.exe), a modifiable configuration file (config.json), and an encryption key generator (keygen.exe). These files allow anyone to build the executables to launch their own operation, such as an encryptor, decryptor, and special tools to execute the decryptor in specific ways. Moreover, the configuration file allows customizations such as modifications in the ransom notes, specifying Command and Control (C2) servers, and much more for its users.
The recent leak is a serious concern for the security community, as more threat actors are expected to use the builder to develop their own ransomware. To stay protected, organizations are suggested to require the use of strong password rules, use multifactor authentication (MFA), purge outdated and unused user accounts, ensure system configurations are following all security procedures, and proper backup practices.