Feud between cybercriminals releases dangerous software into the wild

The cybercrime community has been witnessing an interesting scene since Wednesday night. One of the partners of the LockBit gang – most active in 2022 – Posted in Twitter Github is a development kit that allows you to create your own version of the ransomware of the same name. This type of malicious tool encrypts victim data, making the infected machine and other software unusable. The computer program even includes a module to personalize the ransom note deposited on the computer so that victims can contact the criminals and possibly pay monetary compensation for the damage caused.

fast, LockBit spokesperson It said on a private forum: The gang will stop paying one of the developers due to delays over alcohol and drug issues. The cybercriminal only wants to pay him for the rendering of the work, but the fake dismissal will anger the partner, who unleashes the tool in question into the wild. While LockBit said it wasn’t concerned about leaks because its business would depend more on its organization than its tools, cybersecurity experts are concerned that many cybercriminals will try to exploit the leaked software.

LockBit, the #1 ransomware

According to analysts at French firm Sekoia, LockBit is the number one ransomware in the number of claimed attacks since the beginning of the year. Among the hundreds of victims we found in particular the Corbeilles-Essonne and La Poste Mobile hospitals. The gang’s strength lies above all in its structure. The group operates like a startup, looking to integrate as many tools and technologies as possible.

It’s also continually improving the software responsible for encrypting data, in its third version, to make it more efficient and prevent cybersecurity experts from creating an antidote. It was in the process that the group appealed to the developers behind the leak.

Unexpected errors in organizations that carefully select their affiliates

The incident drew ridicule from the community, as LockBit was particularly proud of its organization.He classifies his affiliates [les partenaires charg├ęs de lancer les attaques, Ndlr] On the other hand: they must have a good reputation on recruitment forums (used by multiple structures) and deposit 1 bitcoin (more or less 20,000 EUR) to become a partner. Those affiliates would then be bound by bylaws that prohibit them from redeeming certain structures so as not to draw too much attention from authorities, and follow the same fate as Darkside, which was demolished after the attack on oil pipeline operator Colonial Pipeline.

To complete the shell, LockBit even opened a bug bounty, that is, a program in which he pays a hacker to report flaws in his tool. This practice is already common in the business world, but it is unprecedented among cybercriminals. However, these precautions were not enough, probably because of human squabbles.

Derivatives of LockBit?

LockBit believes that the tool alone is not enough to launch a competing gang, as it requires a certain reputation among the cybercrime community and victims to function properly.

If this argument holds, the Babuk leaks last year and Conti earlier this year (following the cyberattack) suggest that cybercriminals are seizing the opportunity to start their organizations. Therefore, new cybercriminal groups using LockBit-derived software should emerge, especially since it is considered one of the most effective software on the market. In contrast, a research team affiliated with The Record Future discovered 140 “new” ransomware groups this year, the vast majority of which used code from Conti (or REvil, leaked earlier).

However, the emergence of new gangs does not necessarily translate into a proportional increase in the number of successful attacks. Cybercriminals need to find partners who can launch attacks appropriately and effectively, and then they need to learn how to manage their relationship with their victims while avoiding too much exposure to authorities. They must also continually improve their tools to avoid being detected and stopped by defenders. All in all, the leaked kit can serve as a cornerstone for a new organization, but you still need to build around it.

The only positive thing about this interesting episode: Cybersecurity researchers will be able to work on developing toolkits and possibly plot metrics that will allow them to improve their own tools.