Why Criminals Keep Reusing Leaked Ransomware BuildersBlame Police Crackdowns on Big Names, Hacker Thrift, Ransomware Grifters in Trouble
When is a LockBit ransomware attack not actually a LockBit attack? Cyber defenders are reporting a profusion of attacks involving stolen or reused strains of ransomware.
"Think of ransomware as something that models and mimics legitimate corporate businesses," Yelisey Bohuslavskiy, chief research officer at Red Sense, said in an interview at Black Hat in Las Vegas this month. Just as startups will learn and evolve, so too do ransomware groups.
Growing pains remain a recurring problem, most recently for high-flier LockBit. Security researcher Jon DiMaggio said the ransomware group has been unable to reliably post stolen data to its leak site and has left affiliates waiting for days and days before responding to their "customer service requests." Predictably, there's been an exodus of affiliates.
LockBit is in trouble, DiMaggio, chief security strategist at Analyst1, told Information Security Media Group. "Just like a legitimate company, if you grow too fast and too quick, and you don't have the infrastructure to support it, you have problems."
Playing With Fire
Ransomware-as-a-service operations such as LockBit previously dominated because they facilitated specialization: Operators developed tough-to-detect malware and maintained a data leak blog to pressure victims, and affiliates used the malware to amass victims. The operator and affiliate split the resulting profits, which amounted to more than they would have made on their own.
Aspiring attackers these days have other good options for procuring ransomware builders. Sophisticated malware source code from LockBit and Conti leaked online can be modified and used for free. Victims are getting hit by what looks like a LockBit crypto-locker, although it's being wielded by the unaffiliated criminals such as the Bloody Ransomware Gang. What looks like Conti may instead be GazProm - named for the Russian gas giant and with a ransom note featuring ASCII art of Russia's president - or even LockBit. Source code for Paradise, which leaked in mid-2021, and Babuk, which leaked later that year, underpins Rapture, as well as RA Group, Rorschach and RTM Locker.
Some attackers go even further, cobbling together various bits of malware into what Allan Liska, principal intelligence analyst at Recorded Future, dubs Frankenstein ransomware. Building these monstrosities may entail borrowing a ransom note from one source, a VMware crypto-locker from another, tying it to a command-and-control network and then launching attacks. They might not look pretty, but so long as they work, why should attackers care?
In a weird twist, even LockBit reuses code from a rival. Version 4 of its ransomware, which appeared early this year and has the internal codename LockBit Green, is little more than a slightly updated version of Conti's ransomware that dates from February 2022. "LockBit did make some changes to improve the build, but overall, this is lame and not what you expect from the world's most notorious ransomware gang," DiMaggio wrote.
The cause ties back to LockBit leader "LockBitSupp" apparently failing to properly compensate his key developer, who previously worked on DarkSide and BlackMatter ransomware - and perhaps also worked with the FIN7 cybercrime group - and who built and supported LockBit Black, or version 3.0, which was released in June 2022, DiMaggio reported. Their falling out led the developer to leak a copy of the LockBit source code as part of his kiss-off.
While affiliates still have the option of using LockBit 3.0 in an attack, it's detected outright by most anti-malware products, according to VirusTotal. That makes the malware less useful to affiliates, because they need to bypass security tools to enable their malware to execute and crypto-lock endpoints.
Attackers keep crafting fresh strategies to try and hit endpoints anyway. Last week, the Spanish National Police warned that it had been seeing a wave of phishing attacks leading to LockBit infections. The phishing emails themselves have so far targeted architecture firms and carry a
fotoprix.eu return email address, which uses a malicious domain designed to resemble the legitimate
fotoprix.com domain owned by Spanish photography service firm Fotoprix.
Police said the attacks involve a heavy dose of social engineering; the initial email doesn't come with malware attached. Instead, "after exchanging several emails, the attackers propose to set a date to hold a meeting" for specifying a budget, and at that point they send a file that supposedly contains pertinent details. Instead, it leads to a LockBit infection.
Whether these attacks trace to LockBit affiliates or unaffiliated groups who have adapted its source code so far remains unclear. For both attackers and victims, the difference matters little if the ransomware attempt is successful.