Someone has leaked the latest version of LockBit’s encryptor to the internet, and while at first it might seem like a data breach and theft, the ransomware operator’s public representative claims it’s actually the work of a disgruntled developer.
A brand new Twitter account named Ali Qushji claimed their team hacked the servers of LockBit and found a builder for the LockBit 3.0 ransomware encryptor. Following the tweet, malware source code library VX-Underground chimed in, saying they were contacted by a user named “protonleaks” on September 10, with the same content.
The same source also said that LockBitSupp, the public representative of the LockBit operation, confirmed that this was not the work of a hacking group, but rather a disgruntled developer, unsatisfied with the ransomware operator’s leadership.
Upset with leadership
“We reached out to Lockbit ransomware group regarding this and discovered this leaker was a programmer employed by Lockbit ransomware group,” VX-Underground tweeted (and subsequently deleted the tweet). “They were upset with Lockbit leadership and leaked the builder.”
BleepingComputer has since confirmed the authenticity of the leak, stating it’s the LockBit 3.0 encryptor’s builder, codenamed LockBit Black, that was leaked. The version, that’s been in the testing phase for two months leading up to June, came with a number of new features, including anti-analysis, a ransomware bug bounty program, and new methods of extortion.
Leaking the builder doesn’t mean whoever gets infected with LockBit can now easily decrypt the hijacked data. Instead, it means that other threat actors can compile their own versions with ease, tweaking various configuration options, the ransom note, and other details. While that might hurt LockBit’s operations to some extent, it also means that organizations could soon be facing an even bigger number of ransomware strains.
This is not the first time an encryptor’s source code leaked online. At the start of Russia’s invasion on Ukraine, a hacker leaked Conti’s source code, a ransomware group that publicly supported the invasion at the time.
Check out our list of the best malware removal solutions out there