LockBit 3.0 Ransomware Builder Spawns Many New Variants

The release of the LockBit 3.0 ransomware builder last year resulted in threat actors misusing the tool to generate new variations.

Researchers from a cybersecurity company noticed a ransomware attack involving a version of LockBit, but with a distinct approach to ransom demands.

The attacker in this incident opted for a different ransom note, featuring a heading associated with an unknown group, referred to as NATIONAL HAZARD AGENCY, according to security researchers.

The updated ransom note explicitly indicated the specified payment for accessing decryption keys and directed communication to a Tox service and email. In contrast, the LockBit group doesn't mention the amount and employs its own communication and negotiation platform.

NATIONAL HAZARD AGENCY isn't the sole cybercriminal group using the leaked LockBit 3.0 builder. Other known threat actors who've utilized it include Bl00dy and Buhti.

The researchers identified a total of 396 unique LockBit samples in their data, with 312 artifacts originating from the leaked builders. Approximately 77 samples lacked any mention of "LockBit" in the ransom note.

The researchers explained that many of the detected parameters align with the builder's default configuration, with only minor adjustments. This suggests that these samples were probably developed for urgent purposes or by less diligent actors.

Why Ransomware Code Gets Recycled and Rebranded?

This revelation coincides with Netenrich's exploration of ADHUBLLKA, a ransomware strain that has undergone several rebrandings since 2019 (BIT, LOLKEK, OBZ, U2K, and TZW). It targets individuals and small businesses, demanding relatively small payouts ranging from $800 to $1,600 per victim.

While these iterations showcase slight variations in encryption methods, ransom notes, and communication techniques, a closer analysis links them all back to ADHUBLLKA due to shared source code and infrastructure.

When a ransomware gains success in the wild, it's common to see cybercriminals recycle the same ransomware samples, making slight tweaks to their codebase, to launch other projects, security researchers added. For example, they might alter the encryption process, ransom notes, or communication channels, and then reestablish themselves as a 'new' ransomware.

The realm of ransomware is consistently evolving, featuring frequent changes in strategies and targets, with a growing focus on Linux environments using families like Trigona, Monti, and Akira. The latter exhibits connections to Conti-affiliated threat actors.