Bl00dy ransomware gang started using leaked LockBit 3.0 builder in attacks

September 28, 2022  By Pierluigi Paganini


The recently born Bl00Dy Ransomware gang has started using the recently leaked LockBit ransomware builder in attacks in the wild.

The Bl00Dy Ransomware gang is the first group that started using the recently leaked LockBit ransomware builder in attacks in the wild.

Last week, an alleged disgruntled developer leaked the builder for the latest encryptor of the LockBit ransomware gang.

The latest version of the encryptor, version 3.0, was released by the gang in June. According to the gang, LockBit 3.0 has important novelties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.

The code of the encryptor was leaked on Twitter by at least a couple of accounts, @ali_qushji and @protonleaks1.

The builder is contained in a password-protected 7z archive, “LockBit3Builder.7z,” containing:

  • Build.bat;
  • builder.exe;
  • config.json;
  • keygen.exe.

The availability of the builder could allow any threat actor to create its own version of the ransomware customizing it by modifying the configuration file.

Now BleepingComputer first reported that the Bl00Dy Ransomware group started using the Lockbit 3.0 builder to create its own ransomware.

The group in past attacks created its own malware by using leaked builders, such as Babuk and Conti.

Early this week, the researcher Vladislav Radetskiy reported the discovery of a new Bl00Dy Ransomware Gang encryptor that was employed in an attack on a Ukrainian organization. The researchers did not immediately identify the ransomware involved in the attack, it appeared as Conti or LockBit.

MalwareHunterTeam researchers confirmed that the encryptor used in the attack by the Bl00Dy Ransomware group was built using the leaked LockBit 3.0 builder.

BleepingComputer researchers, who tested the Bl00dy Ransomware Gang’s encrypter, confirmed that it was generated with the leaked LockBit 3.0. builder.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Bl00Dy Ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

NUVOLA: the new Cloud Security tool

 nuvola is the new open-source cloud security tool to address the privilege escalation in cloud environments. nuvola is the new open...