Last year, the builder for the LockBit 3.0 ransomware encryptor was leaked, and researchers are now observing hundreds of new variants that spawned directly from that event.
Cybersecurity researchers from Kaspersky have discovered a significantly altered version of LockBit targeting an unnamed entity. This version was allegedly deployed by a group calling itself NATIONAL HAZARD AGENCY, with the key differences from LockBit 3.0 being in the ransom note.
Usually, LockBit doesn’t specify the amount that is to be paid in exchange for the decryption key and uses a proprietary platform for communication and negotiation with its victims. This group, however, told its victims exactly how much money it expects, and called them to use a Tox service and email to communicate.
Hundreds of variants
While this group made headlines, it’s definitely not the only one using LockBit as a foundation for its own ransomware operations. Kaspersky’s telemetry spotted almost 400 unique LockBit samples, 312 of which were created using the leaked builder. At least 77 samples don’t even mention LockBit in the ransom note, distancing themselves from their relatives, entirely.
"Many of the detected parameters correspond to the default configuration of the builder, only some contain minor changes," the researchers said. "This indicates the samples were likely developed for urgent needs or possibly by lazy actors."
LockBit is one of the most successful, if not the most successful, ransomware threats out there. This claim was recently made by the US Cybersecurity and Infrastructure Security Agency (CISA), together with its partners the FBI, Multi-State Information Sharing and Analysis Center (MS-ISAC), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, France, and New Zealand.
In a security advisory published by these organizations, LockBit stole approximately $91 million just from victims in the United States since 2020. In the last three years, the group successfully compromised roughly 1,700 American organizations. Last year alone, some 16% of all attacks targeted State, Local, and Tribunal (SLTT) governments, MS-ISAC’s data shows. So municipal governments, counties, educational institutions, and public service organizations, were some of the most popular targets.
- Here's our rundown of the best firewalls
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.