LockBit 3.0 Builder Code Leak Technical Analysis

On September 21, 2022, the LockBit 3.0 ransomware builder named “Black” was leaked online by a developer working for the LockBit threat group. On September 22, 2022, security researchers Yang HuiSeong and Jeong Hyunsik released a technical analysis of the code.
LockBit 3.0 Builder Code Leak Technical Analysis

On September 21, 2022, the LockBit 3.0 ransomware builder named “Black” was leaked online by a developer working for the LockBit threat group. On September 22, 2022, security researchers Yang HuiSeong and Jeong Hyunsik released a technical analysis of the code. The leaked code is currently available on GitHub.

Threat Actor Details

LockBit is a Ransomware-as-a-Service (RaaS) operation, meaning the threat group sells the LockBit ransomware tool to other threat actors. The LockBit ransomware was recently upgraded to version 3.0.

The most notable attacks involving the ransomware are:

The June 2022 LockBit Campaign

In this campaign, threat actors sent phishing emails in Chinese with a malicious file disguised as a copyright claim. The emails came from an email account impersonating a legitimate illustrator to make the email seem more legitimate. The name of the malicious file attachment included the password to open the file, which matches the tactics used in the February 2022 LockBit campaign. The malicious attachment is a compressed file containing a second compressed Nullsoft Scriptable Install System (NSIS) file, which includes an executable disguised with a PDF file icon. This executable installs the ransomware on the targeted machine and runs multiple operations for reconnaissance, obfuscation, and persistence.

The February 2022 LockBit Campaign

This campaign also leveraged phishing emails with malicious copyright-themed attachments containing compressed files with passwords. As in the June 2022 campaign, the compressed files are NSIS file types. The executable for this campaign is disguised as a JPEG file, as with the May 2021 Makop campaign. The executable then runs reconnaissance, obfuscation, and persistence operations, nearly identical to the June 2022 campaign.

The May 2021 Makop Campaign

In May 2021, ASEC researchers discovered a phishing campaign delivering the Makop ransomware. Unlike previous Makop phishing efforts that used job applications and resumes as themes, the May 2021 campaign began using claims of copyright infringement as a theme. Phishing emails in this campaign included a malicious compressed file as an attachment. As in the February 2022 campaign delivering LockBit, the May 2022 Makop campaign used an executable disguised as a JPEG file, where upon execution, the Makop ransomware deleted volume shadow copy, encrypted files on the infected computer, and created a ransom note txt file.

Technical Details

The researchers provided information on four files: Build[.]bat, Config[.]json, Builder[.]exe, and Keygen[.]exe.

Build[.]bat

This file creates an RSA public/private key pair by executing the Keygen[.exe] and Builder[.] exe files that generates the ransomware using the generated key pair.

Config[.]json

This file contains the setting values for generating the encryptor and decryptor. Configurations include:

  • bot: Configuration about the bot feature stealing information from infected devices (Not used)
  • config: Configuration values that determine the behaviors for the LockBit 3.0 ransomware
  • white_folders: List of folders to exclude from encryption
  • white_files: List of files to exclude from encryption
  • white_extens: List of extensions to exclude from encryption
  • white_hosts: List of hostnames to exclude from encryption
  • kill_processes: List of processes to be terminated before encryption
  • kill_services: List of services to be terminated before encryption
  • gate_urls: List of URLs to be used as the C2 server
  • impers_accounts: List of credentials to be used for logon
  • note: Ransom note content

Builder[.]exe

This file generates the encryptor and decryptor. The parameters for execution are:

-type

  • enc: Generate Encryptor
  • dec: Generate Decryptor

-config

  • Configuration file path

-exe, -dll, -ref(reflectiveDLL)

  • File type to be created

-pass

  • When creating an Encryptor, the password required to execute the Encryptor
  • Passwords required to execute Encryptor are stored in Password_exe.txt and Password_dll.txt respectively

-pubkey, -privkey

  • Path of the key file to be used when creating Encryptor and Decryptor

-ofile

  • File path to save

Keygen[.]exe

This file generates key pairs for encryption. The researchers provided the following details:

Parameters:

-path: Folder path to save generated key pair file

-pubkey: File name to use for Encryptor as public key (256 bytes)

— The first 128 bytes contain e value (fixed at 65537), and the last 128 bytes contain N value

  • -privkey: File name to use for Encryptor as private key (256 bytes)

— The first 128 bytes contain d value and the last 128 bytes contain N value

Key generation is performed as follows.

  • Keygen[.]exe is written based on MIRACL.
  • Generates an RSA-1024 key to encrypt the file encryption key, and the e value is fixed to 65537.
  • When generating 512-bit prime numbers p and q, create a 256-byte seed with the rdrand x86 instruction.
  • Then, pass the seed to the strong_init function of MIRACL to initialize the CSPRNG, and use the strong_bigdig function to get a 512-bit value.
  • The keygen.exe is implemented to use RIPEMD-160 instead of SHA-256 used in the original library.

Afterward, a 16-byte Decryption ID is generated to identify the infected PC and stored in a generated txt file.

IOCs

HuiSeong and Hyunkik provided the following indicators of compromise (IOCs) Note: these hashes are specifically for the LockBit 3.0 builder. The ransomware delivered to targets would have additional IOCs specific to the victim environment:

Indicator Type Notes
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339 SHA256 Build[.bat]
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6 SHA1 Build[.bat]
4e46e28b2e61643f6af70a8b19e5cb1f MD5 Build[.bat]
3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8 SHA256 Config[.]json
f3ed67bdaef070cd5a213b89d53c5b8022d6f266 SHA1 Config[.]json
a6ba7b662de10b45ebe5b6b7edaa62a9 MD5 Config[.]json
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db SHA256 Builder[.]exe
6ae7dc2462c8c35c4a074b0a62f07cfef873c77 SHA1 Builder[.]exe
c2bc344f6dde0573ea9acdfb6698bf4c MD5 Builder[.]exe
 ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37 SHA256 Keygen[.]exe
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4 SHA1 Keygen[.]exe
71c3b2f765b04d0b7ea0328f6ce0c4e2 MD5 Keygen[.]exe

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

More Recent Blog Posts

View All Blogs