Kaspersky researchers have observed a surge in new ransomware variants emerging from the leaked code of LockBit 3.0, allowing threat actors of various kinds to create their own ransomware software.
Approximately 396 samples related to LockBit were identified, revealing differences in ransom notes, decryption key paths, communications, and other aspects. While some credited the LockBit gang for providing the tools, others did not.
Creating a Path for Similar Ransomware Groups
In the realm of cybersecurity, ransomware groups are considered an elite class due to their techniques, targets, and consequences. Some countries even support the creation of official threat groups, known as Advanced Persistent Threats, to steal intelligence from rival nations.
Handling matters related to these groups requires careful attention. While security researchers and companies work to combat these threats, threat actors continually evolve their techniques to target victims.
Those who lack the ability to develop tools independently often resort to copying popular malware and adapting it to their specific needs. The leak of LockBit 3.0 source code last year resulted in other threat actors creating similar ransomware.
Kaspersky researchers identified a new group apparently formed using the LockBit code, naming it the National Hazard Agency. This LockBit variant, observed in a recent intrusion against a target, shares similarities with the original but has made modifications to its ransom note, directly stating the ransom demand within it. In contrast, LockBit typically directs victims to contact them for negotiation.
Additionally, researchers have identified other LockBit variants, such as Bl00dy and Buhti, in different incidents. Overall, Kaspersky documented a total of 396 distinct LockBit samples in its telemetry, with 77 samples making no reference to “LockBit” in the ransom note.
Similarly, ransomware groups like Trigona, Monti, and Akira have emerged from the leaked code of other popular ransomware malware, with Akira being linked to the Conti group.