[MART] - Daily Diary #604 - Lockbit 3.0 Builder Already Used In The Wild

ctas-mat at appgate.com ctas-mat at appgate.com
Wed Sep 28 21:52:06 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

09/28/2022 - Diary entry #604:

Last week, on Daily Diary #600, we talked about the leakage of the Lockbit 3.0 builder (the tool responsible for building and configuring Lockbit samples). The tool was published on GitHub by an unsatisfied member of Lockbit and, as our prediction came true, it already started to be used in the wild.

Early this week, the Bl00Dy Ransomware Gang started to use the recently leaked Lockbit builder in attacks against companies. The Bl00Dy Ransomware Gang started its activities in May this year when it targeted a group of medical and dental practices in New York.

During their previous campaigns, the threat actors used to rename all the encrypted files by appending “.bl00dy“ to the files. However, now they are using extensions generated by the builder tool. They customized the ransom note, with their data and contact information.

As we covered in many of our Daily Diaries, Lockbit is one of the most dangerous ransomware groups active nowadays. Therefore, with tools and source code recently leaked – like Conti ransomware – we may expect threat actors to use them in their attacks.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team


E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220928/073ef456/attachment.htm>

More information about the MART mailing list