When the prolific LockBit ransomware gang’s prized malware, LockBit 3.0, was leaked last year, rivals and wannabe competitors were quick to seize an opportunity.An analysis by Kaspersky researchers shows several other threat groups took advantage of the leak of the LockBit 3.0 builder to create their own customized version of the ransomware and deploy it in extortion campaigns.In an Aug. 25 post, Eduardo Ovalle and Francesco Figurelli from Kaspersky’s Global Emergency Response Team (GERT) said it did not take long after the September 2022 leak for new variations of the malware to appear.“Immediately after the builder leak, during an incident response by our GERT team, we managed to find an intrusion that leveraged the encryption of critical systems with a variant of Lockbit 3 ransomware,” the researchers said.“Although this variant was confirmed as Lockbit, the ransom demand procedure was quite different from the one known to be implemented by this threat actor.”In the ransom note examined by GERT, the extortionists called themselves the National Hazard Agency, a previously unknown group.The note also stood out because it included a specific ransom demand ($3 million) for the keys to decrypt the victim’s files, and provided email and chat contact details. In contrast, the LockBit group use their own communication and negotiation platform to interact with their victims.Other threat groups identified using LockBit 3.0 included Blacktail's Buhti ransomware operation, the Bl00dy ransomware gang, and GetLucky.
Ransomware, Threat Intelligence
LockBit code leak sparks wave of RaaS attacks

An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



