Leaked Builders Continues to Inspire New Actors

Category: Ransomware News | Industry: Global | Source: Kaspersky

LockBit continues to demonstrate its prowess as a prominent ransomware group, continually honing its toolkit and cultivating a robust affiliate network attracted by the substantial payouts it offers. Among the most concerning components in the group's arsenal is the Lockbit v3, also known as Lockbit Black, encryptor. This encryptor boasts anti-analysis measures and kernel-level functionalities, posing significant challenges to analysts and automated systems. The situation becomes more difficult when the encryptor's builder is leaked, inspiring the creation of new variants by other ransomware groups.

In September 2022, an intrusion was responded to and examined by Kaspersky's Global Emergency Response Team (GERT), taking place between September 25th and 26th, 2022. Malicious activity started with "anonymous network connections" and quickly escalated with an RDP session utilizing an admin account and Mimikatz execution within a 15-minute window. Roughly two hours later, DLL payloads and a batch script had been dropped and executed on the same host from an administrator's RDP session. System encryption was completed on this first host almost four hours after the initial connection had been made. A second host was also compromised; however, it took just shy of 31 hours from RDP connection to system encryption. Similar activity had transpired between the two hosts, but the use of PsExec was noted on the second host.

The ransomware encryptor used in this intrusion was discovered to be a Lockbit's encryptor; however the ransom note left is one that is distinct from LockBit's. With no mention of Lockbit in the ransom note and the contact addresses using different mail and domains as well, Kaspersky attributes the observed intrusion to a "probable misuse of the builder by actors other than the "original" Lockbit."