Since Wednesday night, the cybercriminal community has been witnessing a funny scene. One of the partners of the LockBit gang, the most active in 2022, posted on Twitter Y github a development kit that allows you to create your own version of the ransomware of the same name. This type of malicious tool encrypts the victim’s data with the effect of rendering infected machines and other software useless. The software even includes a module to customize the ransom note deposited on computers, so that victims can contact criminals and possibly negotiate monetary compensation for damages caused.
Quickly, a LockBit spokesperson expressed in a private forum: the gang would have stopped paying one of its developers for arrears related to alcohol and drug problems. The cybercriminals wanted to pay him only for the performance of the work, but the pseudo-dismissal would have angered the partner, who released the tool in question into the wild. While LockBit says it’s not worried about the leak because his business would depend more on his organization than his tool, cybersecurity experts are concerned that many cybercriminals will try to exploit the leaked software.
LockBit ransomware number one
According to analysts from the French company Sekoia, LockBit is the number one ransomware in number of attacks claimed since the beginning of the year. Among his hundreds of victims, we find in particular Corbeilles-Essonne Hospital Y Mobile mail. The great strength of this gang is above all in its structure. The group operates as a startup, with the desire to integrate as many tools and techniques as possible.
It is also constantly improving the software responsible for encrypting the data, which is in its third version, with the aim of making it more efficient and preventing cybersecurity experts from creating an antidote. It is in this process that the group appealed to the developer behind the leak.
An unexpected mistake in an organization that chooses its members
The incident drew ridicule in the community, as LockBit takes particular pride in its organization. Order your affiliates [les partenaires chargés de lancer les attaques, Ndlr] on the other hand: they must have a good reputation in the recruitment forum (used by various structures) and make a deposit of 1 bitcoin (more or less 20,000 euros) to become a partner. These affiliates are subject to a charter that prohibits them from rescuing certain structures, so as not to attract too much attention from the authorities and suffer the same fate as Darkside, dismantled after its attack on the pipeline operator. Colonial Pipeline.
To complete this shell, LockBit has even opened a bug bounty, that is, a program where hackers are paid to report flaws in their tools. A practice that has become common in the business world, but unprecedented among cybercriminals. However, these precautions will not have been enough, probably due to a human fight.
Soon derivatives of LockBit?
LockBit argues that the tool alone is not enough to launch a competing gang, as it requires a certain reputation, both in the cybercriminal community and among victims, to function properly.
If this argument holds, the Babuk leaks last year and the Conti leaks earlier this year (after the cyberattacks) showed that cybercriminals are seizing the opportunity to launch their organization. Therefore, new groups of cybercriminals with software derived from LockBit should appear, especially since it is considered one of the most effective on the market. Compare, the research team attached to The Record Future identified 140 “new” ransomware groups this year, and the vast majority of them use code from Conti (or REvil, which was previously leaked).
However, the appearance of new gangs does not necessarily translate into a proportional increase in the number of successful attacks. Cybercriminals must find partners who can properly and efficiently launch attacks, and then must learn how to manage the relationship with victims, while avoiding excessive exposure to authorities. They must also constantly improve their tools, so that they are not detected and blocked by defenders. In short, the leaked kit can serve as a cornerstone for a new organization, but you still need to build around it.
The only bright spot in this fun episode: cybersecurity researchers will be able to study the development kit and potentially draw pointers that allow them to improve their own tools.