Oct 02, 2022 09:00:00

Ransomware Developer After Fight With Boss Leaks LockBit Builder, What's Inside?

At the time of writing the Ransomware LockBit article, the latest version 3 builder leaked to Twitter. It was the developer himself who leaked it, and the motive for leaking it was 'because I was dissatisfied with the boss of the organization.'

LockBit ransomware builder leaked online by “angry developer”

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/

According to security researcher 3xp0rt, a user named 'Ali Quushji' said that 'the team hacked the organization's server and found a version 3.0 builder' and published it on Twitter.

Unknown person @ali_qushji said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) Ransomware. You can check it on the GitHub repository https://t.co/wkaTaGA8y7 pic.twitter.com/cPSYipyIgs

— 3xp0rt (@3xp0rtblog) September 21, 2022

After that, a user named 'protonleaks' contacted security researcher VX-Underground to share a copy of the LockBit 3.0 builder. However, according to VX-Underground, it turned out that this leaker was a developer hired by an organization that uses Lockbit, and leaked it because he was angry with the organization's boss.

The leaked LockBit 3.0 builder allows anyone to quickly build the executables they need to launch their own operations, including an encryptor, a decryptor, and a dedicated tool to launch the decryptor in a particular way. is what you do.

The builder consisted of four things: an encryption key generator, a resource file, a modifiable configuration file, and a batch file that builds all the files.

By editing the confg.json contained within, you can change the ransom message, change configuration options, decide which processes and services to terminate, specify the

C2 server to which the encryption program sends data, etc. It is possible.

Running the batch file will build all the required files as below. Bleeping Computer, a security news site, actually got this Lockbit 3.0 builder. When I tried encrypting and decrypting files using the C2 server, it seems that it was very easy to execute.

This isn't the first time ransomware builders and source code have been leaked online. In June 2021, the builder of ransomware Babuk was leaked, and in March 2022 the source code of ransomware Conti was leaked.