article featured image


The LockBit ransomware operation takes a severe blow after a developer has leaked online the builder of their newest ransomware encryptor. The encryptor, codenamed LockBit Black, was officially released in June, after being in tests for two months.

Compared with the old version, the newest version of the encryptor boasted new anti-analysis features, a ransomware bug bounty program, and new extortion methods.

The Builder Leaked on Twitter

According to security researcher 3xport, a newly registered Twitter user named “Ali Qushji” declared that their team hacked Lockbit’s servers and found a builder for the LockBit Black (3.0) ransomware encryptor.

After 3xport announced the breach, VX-Underground revealed that on September 10th, a user going by the handle “protonleaks” approached them and offered to give a copy of the builder. The relationship between the two Twitter users is still unknown. In contrast to Ali Qushji’s allegations, VX-Underground said that LockBitSupp, the LockBit operation’s public representative, claims that they were not hacked and that instead, an angry developer leaked the private ransomware builder.

The leaked builder is indeed legitimate, BleepingComputer declares after multiple security researchers confirmed the fact.

Anyone Can Use The Builder

The enterprise has suffered a serious loss as a result of the disclosure because more threat actors will use it to launch their attacks. Anyone can easily create the executables needed to start their operation using the builder, which includes an encryptor, a decryptor, and customized tools to run the decryptor in particular ways.

lockbit builder leaked

LockBit 3.0 Builder Files (Source: BleepingComputer)

The builder consists of four files, one of them being the “config.json” file. Threat actors can access it and customize the encryptor in multiple ways, including modifying the ransom note, changing configuration options, deciding what processes and services to stop, and even specifying the command and control server that the encryptor.

When testing the builder, BleepingComputer was able to easily modify it to utilize their local command and control server, encrypt their data, and then decrypt them.

This is not the first time a source code or ransomware generator has been leaked online. The Babuk ransomware builder leaked in June 2021, enabling anyone to create encryptors and decryptors. A similar case happened in March 2022, when the Conti ransomware suffered a breach and its source code leaked online.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.