Executive Summary

More than a year after its leak in September 2022, the builder for the notorious LockBit 3.0 ransomware continues to be a persistent and widespread threat. Security researchers report that a diverse array of threat actors, from low-skilled opportunists to more organized groups, are using the leaked tool to create and launch their own ransomware campaigns. This has led to a decentralization and proliferation of LockBit-based attacks, making attribution nearly impossible and increasing the overall volume of ransomware incidents. The leak has had a lasting impact on the cybercrime landscape, effectively turning a sophisticated RaaS product into a freely available weapon.

Threat Overview

The leaked LockBit 3.0 builder is a command-line application that allows a user to generate a fully customized ransomware payload. An attacker can configure various options, including the ransom note text, encryption settings, and services to terminate, before compiling a unique executable. This ease of use has lowered the barrier to entry for ransomware deployment, enabling criminals without the technical skill to develop their own malware to conduct damaging attacks.

Security firms are observing a steady stream of incidents involving these custom LockBit variants. In many cases, the attackers attempt to rebrand the malware, but forensic analysis reveals its origins from the leaked builder. This phenomenon complicates threat intelligence, as an attack using a LockBit-based binary can no longer be definitively attributed to the core LockBit group (which itself was recently disrupted by law enforcement).

Technical Analysis

The builder, often referred to as builder.exe, allows for the generation of three key components:

1. The Encryptor: The main ransomware executable that encrypts files.
2. The Decryptor: A corresponding tool for the victim to decrypt files if they pay.
3. Configuration File: An encrypted file containing the attacker's chosen settings.

Attackers use this tool to create variants that are then deployed using common ransomware TTPs. The resulting attacks are characteristic of modern ransomware operations.

MITRE ATT&CK TTPs (Commonly seen in these attacks):

• Initial Access: T1566 - Phishing, T1133 - External Remote Services, or exploiting vulnerabilities in public-facing applications.
• Execution: T1059.001 - Command and Scripting Interpreter: PowerShell to run reconnaissance and deployment scripts.
• Defense Evasion: T1562.001 - Impair Defenses: Disable or Modify Tools to disable security software.
• Impact: T1486 - Data Encrypted for Impact is the primary objective, encrypting files for financial gain.
• Impact: T1490 - Inhibit System Recovery by deleting volume shadow copies.

Impact Assessment

The 'democratization' of LockBit has several negative consequences for defenders:

• Increased Attack Volume: More attackers have access to effective ransomware, leading to more attacks overall.
• Challenging Attribution: It is difficult to determine if an attack is from a sophisticated group or a low-level actor, which affects risk assessment and response prioritization.
• No Central Point of Failure: Disrupting one group using a LockBit variant has no effect on the countless others. The threat is decentralized and resilient.
• Wide Range of Targets: Unlike some targeted RaaS groups, the actors using the leaked builder are often opportunistic, targeting any vulnerable organization across any industry, from small businesses to large enterprises.

Detection & Response

• Signature-Based Detection: While attackers can generate unique binaries, many of the underlying functions and strings within the LockBit code are static. Antivirus and EDR products with up-to-date signatures can often detect and block these variants.
• Behavioral Analysis: The most effective detection method is to focus on the TTPs. Monitor for behaviors like the deletion of shadow copies (vssadmin delete shadows), disabling of security tools, and rapid, widespread file modification.
• YARA Rules: Security teams can use or develop YARA rules that hunt for specific code patterns and strings unique to the LockBit 3.0 family, regardless of the custom configuration.
• D3FEND Techniques: Implement D3-FCR: File Content Rules and D3-FH: File Hashing to detect known LockBit components. More importantly, use D3-BMA: Behavior-based Malware Analysis to identify ransomware-like actions.

Mitigation

Defending against these attacks requires a standard, robust anti-ransomware strategy:

1. Security Awareness Training: Train users to recognize and report phishing attempts, a primary initial access vector.
2. Backup and Recovery: Maintain a 3-2-1 backup strategy with offline, immutable backups that are tested regularly.
3. Patch Management: Promptly patch vulnerabilities in operating systems, software, and appliances to reduce the attack surface.
4. Network Segmentation: Segment the network to prevent the spread of ransomware from one segment to another.
5. Multi-Factor Authentication (MFA): Enforce MFA on all remote access services, administrative accounts, and critical applications.

• D3FEND Countermeasures: A layered defense is key, combining D3-SPP: Strong Password Policy and D3-MFA: Multi-factor Authentication to prevent initial access, with D3-BMA: Behavior-based Malware Analysis for detection.