Hackers Customize LockBit 3.0 Ransomware To Attack Orgs Worldwide

Hackers leverage the LockBit 3.0 ransomware due to its sophisticated encryption functionalities, which enable them to successfully encrypt victims’ files and request a ransom in order to supply decryption keys.

The stealthiness of LockBit 3.0 enhances the attack methods, which allow threat actors to have a better chance of successfully deploying ransomware by enabling them to trespass into systems without permission.

Cybersecurity researchers at Kaspersky Labs recently discovered that hackers are actively exploiting customized LockBit 3.0 ransomware to attack organizations worldwide.

Customize LockBit 3.0 Ransomware

Recently, the threat actors demonstrated their power to obtain unencrypted administrator logins through an incident response engagement.

Such credentials were used to design and generate the latest variant of LockBit 3.0 ransomware.

To perform lateral movement, this customized malware utilized stolen passwords, turned off Windows Defender, wiped out event logs, and finally encrypted data across the network.

A simplified LockBit 3.0 builder makes it easier for threat actors to select options such as impersonation, network share encryption, process termination, and network propagation via PsExec.

Document

Stop Advanced Phishing Attack With AI

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by
other email security solutions. .

This occurrence explains the danger involved in identity theft as well as how conveniently threat actors weaponize tools like LockBit 3.0 into highly individualized and evasive ransomware threats.

The builder allows attackers to customize ransomware by selecting which files, directories, and systems to encrypt or exclude based on the target’s network architecture.

Tailored malware is generated, including the main executable (LB3.exe) for delivery, a decryptor, password-protected variants, and injection techniques.

Running this custom build demonstrates its ransomware functionality, though paying the ransom is inadvisable and unlikely to recover files.

Custom ransom note (Source – Securelist)

Files were successfully decrypted in a secure laboratory using the decryptor that researchers had made themselves for their ransomware sample.

However, after Operation Cronos in February 2024, which led to the confiscation of their infrastructure and decryption keys by law enforcement agencies, the true LockBit group temporarily stopped its activity.

Besides this, the LockBit declared they had resumed operations shortly. The check_decryption_id utility will allow users to verify if they have the right keys for known victims.

check_decryption_id.exe execution (Source – Securelist)

The check_decrypt tool assesses decryptability, but the outcome depends on multiple conditions, and this tool just checks which conditions are met in the analyzed systems.

A CSV file is created, listing decryptable files and providing an email address for further instructions on restoring them.

This toolset caught our attention because we had investigated several LockBit threat cases.

Researchers ran victim IDs and encrypted files through the decryption tool, but most showed the same result, “check_decrypt” confirmed decryption was impossible using known keys.

The leaked builder was used by LockBit competitors to target Commonwealth of Independent States companies, violating LockBit’s rule to avoid compromising CIS nationals, triggering a dark web discussion where LockBit operators explained their non-involvement.