The Lockbit hacker collective, famous in France for attacking a hospital in Corbeil-Essonnes, suffered a data leak from its own ransomware. A disagreement over payment between the criminals and a developer is at the root of this case.
Lockbit is cut in his tracks. Whereas the group of hackers chain media cyberattacks, an internal dispute led to the leak of the “builder” – the creation kit – of their own malware on social networks, on September 21st. A mysterious account dubbed Ali Qushji, created on the same day, posted a file on Twitter with the elements and code required to assemble the ransomware (or ransomware in French) from Lockbit.
This malware is today one of the most effective on the market for stealing and trapping victims’ data. It received significant media attention when it was used in the attack against the Corbeil-Essonnes hospital on September 12. The file is still available on GitHub. According Bleeping Computer, who was able to view the documents, the builder consists of four files, including an encryption key generator and configuration instructions. The American media even managed to personalize the software thanks to the elements posted online.
A salary story
Such a builder freely available on the net offers a de facto turnkey ransomware manufacturing kit to thousands of hackers to configure their own tool and in turn carry out similar operations. Now, how did such an essential file held solely by Lockbit end up on Twitter? 3xp0rt, cybersecurity researcher, reports a conflict that caused this leak.
On a forum of Russian hackers, closed to new members, the administrator of the collective of criminals explained that he called on a developer to improve the software, as an ordinary company would do. Lockbit refused to pay its provider after delays in delivering the software and promised the money once the tasks were completed. After several disputes, the developer in question finally decided to withdraw from the project and to dump all the files on Github.
He had first contacted vx-underground, a famous blog of cyber researchers, but the latter refused to recover the builderaware that it would be useful to many criminals.
Lockbit is not going to die out. ” This situation is obviously unpleasant, but it motivates us to find new developers and code new products. “says the administrator of the group on a forum. In the space of a year, the collective has become one of the world’s most prolific hackers, with more than a third of ransomware attacks recorded last May/June, according to an Intel report471.
This is not the first time either that a source code has been revealed. Babuk ransomware leaked as of June 2021, this malware intended to encrypt Windows documents is still in use. In March 2022, it is the turn of the Russian hacker group Conti to suffer a leak after the announcement of their support for Vladimir Putin. The source code was quickly recovered by the NB65 collective to launch attacks in Russia. Cyber researchers will also have the opportunity to work on this malware to update their defense system, but hackers are usually one step ahead. We can naturally expect to see variants of Lockbit appear in the coming months.