Leaked LockBit Tools: Novice Hackers Target Vulnerabilities

Ransomware-as-a-Service

The LockBit collective, having besieged thousands of organizations globally, grappled with the leakage of their tools in September 2022 due to the discontent of an affiliate. Cybersecurity connoisseurs immediately voiced trepidations that neophyte hackers could forge their own ransomware employing the pilfered apparatus.

Sophos discerned that such apprehensions were not unfounded. Recent weeks have witnessed at least two incidents wherein hackers deployed bespoke ransomware iterations crafted utilizing tools from the LockBit suite, exploiting prevalent vulnerabilities.

Ransomware-as-a-Service

One such instance pertains to hackers capitalizing on the vulnerability CVE-2023-40044, impacting the WS_FTP Server product by Progress Software. This vulnerability was unearthed three weeks prior, and Progress proactively issued a corrective patch; nevertheless, Sophos researchers attest to discovering yet unpatched servers.

Christopher Budd of Sophos asserted that in the scrutinized assaults, his team exclusively observed ransomware, compiled and rooted in the LockBit source code breach from yesteryear.

Sophos also disseminated a replica of a ransom missive, purportedly dispatched by “The Reichsadler Cybercrime Group.” The communique demanded a bitcoin ransom equivalently priced at $500.

In another episode, hackers, wielding a LockBit facsimile, endeavored to assail obsolete and unsupported Adobe ColdFusion servers. In this circumstance, the perpetrators dubbed their ransomware BlackDogs2023. Although the assault was thwarted before fruition, the malefactors solicited a ransom of 205 Monero (approximately $30,000) for the decryption of the “stolen and encrypted” data.

This is the second, recent incident of threat actors attempting to take advantage of leaked LockBit source code to spin new variants of ransomware that we’ve uncovered in recent weeks,” he said.

It’s entirely possible that other copycats will emerge, which is why it’s essential for organizations to prioritize patching and upgrading from unsupported software whenever possible. However, it’s important to note that patching only closes the hole. With things like unprotected ColdFusion servers and WS_FTP, companies need to also check to make sure none of their servers are already compromised, otherwise, they’re still at risk of these attacks,” Sophos concluded.