Security researchers are warning that a new wave of LockBit ransomware variants is in the wild following a leak of the source code used by the prolific ransomware gang last year.

First emerging in 2020, the LockBit ransomware gang operates on a ransomware-as-a-service model where affiliates use already-developed ransomware to execute attacks. In its time, LockBit has regularly been one of the most prolific ransomware groups and was named as the most active threat actor in January.

The latest version of the group’s ransomware, LockBit 3.0 — also known as LockBit Black — was launched in June 2022 with a promise to “make ransomware great again.” But in an arguably ironic twist, the source code for the release was stolen and shared online last September.

The stolen code is now being used by other ransomware gangs to create their own customized versions of the ransomware, according to a report by AO Kaspersky Lab. “Immediately after the builder leak, during an incident response by our GERT team, we managed to find an intrusion that leveraged the encryption of critical systems with a variant of Lockbit 3 ransomware,” the researchers wrote. “Our protection system confirmed and detected the threat as “Trojan.Win32.Inject.aokvy.”

The variant was confirmed as LockBit, but the ransom demand procedure differed from the ones known to be used by LockBit itself. The group behind the variant identified itself as a previously unknown group going by the name of “National Hazard Agency” and included a specific ransom and contact details, also not typical of LockBit attacks.

To assess how widespread unofficial LockBit variants are, the researchers analyzed 396 samples of recent attacks attributed to LockBit and found that 77 of the 396 samples did not include any reference to LockBit in the ransom note, something the gang typically has in their attacks. “The modified ransom note without reference to Lockbit or with a different contact address (mail/URL) reveals probable misuse of the builder by actors other than the ‘original’ Lockbit,” the researchers note.

Perhaps also surprisingly, many of the LockBit variants did not have the command-and-control communication function enabled, suggesting that the code was being used for only encryption attacks versus more modern ransomware attacks that not only encrypt data but steal it for extra leverage over victims.

“The established actors in the threat landscape know full well the need for Operational Security and what we’re seeing represents the fallout from an OpSec breach,” Colin Little, security engineer with threat intelligence provider Centripetal Networks Inc., told SiliconANGLE. “Suddenly, not only is the barrier to entry for the LockBit group removed, but a good deal of their weaponized techniques, tactics and procedures have been exposed.

Little added that the upside is that “law enforcement now has a lot of comparative data which will be used to close in around the LockBit group” and that the leaked code “will also help cyber defenders prevent infiltration around the LockBit and affiliate TTPs.”

Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., commented that “it’s very common for other hackers to take advantage of ransomware and other malware programs once the toolkit or source has leaked.”

“Most hackers are lazy and they will take the quickest, shortest route to ill-gotten gains, even if it means, as it did in this instance, sub-optimal gains,” Little explained. “By hard-fixing the price, the ransomware gang doesn’t have the opportunity to increase the ransom amount if they come across a bigger victim.”

Image: Bing Image Creator