Quick Overview of Leaked LockBit 3.0 (Black) builder program

S2W

Published in

S2W BLOG

6 min readSep 22, 2022

Author: HuiSeong, Yang & Hyunsik, Jeong | S2W TALON

Last Modified : Sep 22, 2022

Photo by Niranjan _ Photographs on Unsplash

Executive Summary

According to a tweet from 3xp0rt, Ali Qushji was able to infiltrate LockBit’s server and acquire the builder for the ransomware
According to vx-underground, Proton, one of the programmers for the LockBit ransomware group, mentioned that the builder was leaked, but the tweet has now been deleted.

The ransomware group indirectly admitted that the allegations above are true, saying that nothing has been hacked and that they have fired the coder.
LockBit 3.0 Builder leaked by Ali Kushii and Proton are both shared on 3xp0rt’s Github.

Detailed Analysis

1. Build.bat

Build.bat creates an RSA public/private key pair by executing Keygen.exe, and Builder.exe that generates a LockBit 3.0 ransomware using the generated key pair.

ERASE /F /Q %cd%\Build\*.* 
keygen -path %cd%\Build -pubkey pub.key -privkey priv.key 
builder -type dec -privkey %cd%\Build\priv.key -config config.json -ofile %cd%\Build\LB3Decryptor.exe 
builder -type enc -exe -pubkey %cd%\Build\pub.key -config config.json -ofile %cd%\Build\LB3.exe 
builder -type enc -exe -pass -pubkey %cd%\Build\pub.key -config config.json -ofile %cd%\Build\LB3_pass.exe 
builder -type enc -dll -pubkey %cd%\Build\pub.key -config config.json -ofile %cd%\Build\LB3_Rundll32.dll 
builder -type enc -dll -pass -pubkey %cd%\Build\pub.key -config config.json -ofile %cd%\Build\LB3_Rundll32_pass.dll 
builder -type enc -ref -pubkey %cd%\Build\pub.key -config config.json -ofile %cd%\Build\LB3_ReflectiveDll_DllMain.dll 
exit

The list of files created after execution is as follows.

2. config.json

config.json is a JSON configuration file that contains the setting values to be used when generating LockBit 3.0 Encryptor and Decryptor.

bot: Configuration about the bot feature stealing information from infected devices (Not used)
config: Configuration values that determine the behaviors for the LockBit 3.0 ransomware

white_folders: List of folders to exclude from encryption
white_files: List of files to exclude from encryption
white_extens: List of extensions to exclude from encryption
white_hosts: List of hostnames to exclude from encryption
kill_processes: List of processes to be terminated before encryption
kill_services: List of services to be terminated before encryption
gate_urls: List of URLs to be used as the C2 server
impers_accounts: List of credentials to be used for logon
note: Ransom note content

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~
>>>> Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
Links for Tor Browser:http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionhttp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onionhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onionhttp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onionhttp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onionhttp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onionhttp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onionhttp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onionLinks for the normal browserhttp://lockbitapt.uzhttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.lyhttp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.lyhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.lyhttp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.lyhttp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.lyhttp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.lyhttp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.lyhttp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.lyhttp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly>>>> What guarantees that we will not deceive you?We are not a politically motivated group and we do not need anything other than your money.If you pay, we will provide you the programs for decryption and we will delete your data.Life is too short to be sad. Be not sad, money, it is only paper.If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future.Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment.You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live>>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION IDDownload and install TOR Browser https://www.torproject.org/Write to a chat and wait for the answer, we will always answer you.Sometimes you will need to wait for our answer because we attack many companies.Links for Tor Browser:http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onionhttp://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onionhttp://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionLink for the normal browserhttp://lockbitsupp.uzIf you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox.Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz>>>> Your personal DECRYPTION ID: %s>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!>>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
>>>> AdvertisementWould you like to earn millions of dollars $$$ ?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc.Open our letter at your email. Launch the provided virus on any computer in your company.You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html.Using Tox messenger, we will never know your real name, it means your privacy is guaranteed.
If you want to contact us, write in jabber or tox.Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.bizIf this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browserLinks for Tor Browser:http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionhttp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onionhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onionhttp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onionhttp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onionhttp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onionhttp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onionhttp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onionLinks for the normal browserhttp://lockbitapt.uzhttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.lyhttp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.lyhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.lyhttp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.lyhttp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.lyhttp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.lyhttp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.lyhttp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.lyhttp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

3. Builder.exe

Builder.exe is a tool to generate LockBit 3.0 Encryptor and Decryptor. Encryptor and Decryptor are embedded in the resource section.

100: LockBit 3.0 Decryptor (EXE)
101: LockBit 3.0 Encryptor (EXE)
103: LockBit 3.0 Encryptor (DLL)
106: LockBit 3.0 Encryptor (Reflective DLL)

The parameters used during execution are as follows.

-type

enc: Generate Encryptor
dec: Generate Decryptor

-config

Configuration file path

-exe, -dll, -ref(reflectiveDLL)

File type to be created

-pass

When creating an Encryptor, the password required to execute the Encryptor
Passwords required to execute Encryptor are stored in Password_exe.txt and Password_dll.txt respectively

-pubkey, -privkey

Path of the key file to be used when creating Encryptor and Decryptor

-ofile

File path to save

4. Keygen.exe

Keygen.exe is a tool that generates key pairs required for encryption. The parameters used during execution are as follows.

-path : Folder path to save generated key pair file
-pubkey : File name to use for Encryptor as public key (256 bytes)

— The first 128 bytes contain e value (fixed at 65537), and the last 128 bytes contain N value

-privkey : File name to use for Encryptor as private key (256 bytes)

— The first 128 bytes contain d value and the last 128 bytes contain N value

Key generation is performed as follows.

keygen.exe is written based on MIRACL.
Generates an RSA-1024 key to encrypt the file encryption key, and the e value is fixed to 65537.
When generating 512-bit prime numbers p and q, create a 256-byte seed with the rdrand x86 instruction.
Then, pass the seed to the strong_init function of MIRACL to initialize the CSPRNG defined in mrstrong.c, and use the strong_bigdig function to get a 512-bit value, which will be used for generating a prime number.
The keygen.exe uses a modified version of MIRACL, which uses RIPEMD-160 instead of SHA-256 inside the CSPRNG from mrstong.c.