A developer disgruntled by LockBit’s leaders had leaked a builder that allows all manner of malicious actors to generate ransomware variations.
Back in September 2022, source code for the LockBit ransomware was leaked and made available for download by all manners of cybercriminals and state-sponsored threat groups. Now, researchers have been tracking multiple threat groups’ efforts to capitalize on the leaked source code to launch ransomware attacks.
After investigating a specific thwarted ransomware attack, researchers have uncovered a ransomware note from a previously unknown group calling themselves “BlackDogs 2023”.
The attackers had attempted to exploit an old, unsupported version of Adobe’s ColdFusion server in order to gain access to the target firm’s Windows’ servers — and then to deploy the ransomware. The attack was blocked by the firm’s defenders, but a latent ransom note demanding 205 Monero (roughly US$30,000) was spotted in the code.
Becoming more desperate, the threat group then made numerous additional attempts to launch their attacks using HTA files and Cobalt Strike binaries — in vain.
According to Sean Gallagher, Principal Threat Researcher, Sophos, which announced the research findings, this is the second LockBit copycat the firm has uncovered in recent weeks. “This is the second, recent incident of threat actors attempting to take advantage of leaked LockBit source code to spin new variants of ransomware that we’ve uncovered in recent weeks. The first instance involved attackers taking advantage of a vulnerability in WS FTP server software. Now, there are copycats looking to take advantage of outdated and unsupported Adobe ColdFusion servers.”
Gallagher suggested that it is “entirely possible that other copycats will emerge, which is why it’s essential for organizations to prioritize patching and upgrading from unsupported software whenever possible.”
Note that patching only closes the hole: with things like unprotected ColdFusion servers and WS_FTP, firms need to also check to make sure none of their servers have already been furtively compromised.