LockBit3.0 Leak

Executive Summary

Lockbit3.0 is the number one ransomware group in the ransomware industry. The group’s operations are so vast and powerful, that we have witnessed weeks where Lockbit’s victim count was more than all other ransomware families altogether.

Ever since Conti’s leaks, Lockbit overtook the ransomware throne without any intention of going down anytime soon.

Although business seems to be thriving for the ransomware group, the ship is currently being shaken by a relatively unknown threat actor that is claiming that his group was able to compromise Lockbit’s servers and leaked the builder and keygen module of the group.

This case takes us back to the Conti Leaks incident and raises the important question, is this the beginning of the end for Lockbit?

Leak Publication

A threat actor name Ali Quashji is claiming to have hacked several LockBit’s servers and was able to obtain the LockBit3.0 builder and the keys generator (Figure 1).

Ali Quashji tweet about the leak
Figure 1: Ali Quashji tweet about the leak

The Twitter account of Ali Quashji is an anonymous one. The account was created especially for this event which suggests that the threat actor behind this profile might be an experienced one.

The publication technique was going to security figures feed such as Brian Kerbs and 3xp0rt and commenting about the group’s findings which is getting much attraction in the last hours.

Looking at the published files we could find the builder and key generator modules, while the first build several executables that perform the encryption and loading phases of Lockbit’s ransomware attack flow, along with ransom note creation.

ContiLeaks Similarity

Both threat actors have leaked the builders and keygen modules. The difference between the two was the additional information ContiLeaks published that was the actual ending of Conti that included all chats and other private information about the group’s members.

ContiLeaks Differences

The ContiLeaks incident has more differences than similarities. The first difference is the motivation, while ContiLeaks targeted Conti’s servers because they were siding with Russia in the conflict, Ali Qushji seems to have targeted Lockbit’s servers because of ego or challenge.

In addition, ContiLeaks seemed to work alone while Ali Qushji claim he works with a team. Another main difference is the leak content. ContiLeaks’ content was way more devesting than the leaks Ali Qushji is currently publishing, although we do not know yet what other treasuries he found in their servers.

Long Time Coming?

In the past several months, Lockbit became something more than just a ransomware group. Leaving aside the fact that they are the undisputed champions of this industry, they have also become somewhat of a celebrity in the underground community, with PR and other gimmicks that their followers were more than happy to take part in.

One of the PR stunts Lockbit did lately was the offer to pay anyone that will make a tattoo of their logo. The group offered $1000 for this act, and as expected, a massive number of followers declared that they are going, or already did, a Lockbit tattoo. The group had to publish another announcement that they are limiting the offer given the great responsiveness (Figure 2)

Lockbit’s announcement of limiting the tattoos campaign
Figure 2: Lockbit’s announcement of limiting the tattoos campaign

Another publicity stunt was showing a lot of confidence by offering a bug bounty program to anyone that finds vulnerabilities in their servers and claims to already pay $50,000 to pen-testers.

In addition, as part of their PR campaign, they have done interviews and talked freely about their exploits and their plans for the future.

All of these actions by Lockbit lead to the main question, was this a long time coming? could we expect them to be compromised at some point?

The answer is of course – yes. In the underground communities we see many actions taken by certain individuals driven by nothing else than ego, and what is a better tap on the back than compromising the number one ransomware group in the world?

The confidence and arrogance of the notorious group got them a lot of followers, but a lot of enemies as well.

The Beginning of The End?

The big question is “What’s next?”. Lockbit is a well-organized crime syndicate, and like other great crime organizations, they are taking into consideration incidents like this.

Nevertheless, the answer to this question depends on one simple fact, if Ali Qushji and his colleagues found more sensitive information than the builder and key generator and will publish it, Lockbit might find themselves on the same road to the end as Conti did after the ContiLeaks incident.

In the case where the information that was leaked is all Ali Qushji found it might end up with a tap on the wing for Lockbit that can lead to some setbacks and a bit of a slow in their activities in the next couple of weeks but nothing too serious.

Overall, Cyberint Research Team does not see how this leak, in particular, may act as an actual threat to the group’s continuity. Lockbit is here to stay and we expect to keep seeing them in our lives, unfortunately.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start