In a major development threatening global cybersecurity, the LockBit 4.0 builder has been leaked on February 2, 2025, by the notorious threat actor Babuk-Bjorka through a prominent breach forum. This leak allows cybercriminals of varying technical skill levels to create customized ransomware variants, escalating the ransomware threat landscape. LockBit 4.0, part of the highly effective Ransomware-as-a-Service (RaaS) model, is known for double extortion tactics, threatening both file encryption and public leaks of sensitive data if ransom demands remain unmet.
Accompanying this leak, Babuk-Bjorka also shared a sample of the Babuk Locker builder, emphasizing a different monetization strategy that primarily focuses on selling decryptors rather than builder kits. This shift signals a new profit strategy within the ransomware ecosystem, where attackers prioritize post-attack decryption services over one-time builder sales.
LockBit’s evolution into version 4.0, reportedly beginning public circulation in 2024, reflects the ransomware's increased complexity and adaptability despite major disruptions. TrendMicro’s analysis highlights that LockBit has consistently evolved from LockBit 1.0 in January 2020, LockBit 2.0 (“Red”) in June 2021, and LockBit 3.0 (“Black”) in March 2022, before introducing LockBit Linux in October 2021 to target Linux and VMware ESXi systems. An intermediate version, “Green”, emerged in January 2023 with code adaptations from the defunct Conti ransomware, although it wasn’t classified as the full 4.0 version.
However, 2024 marked a significant turning point for LockBit, as Europol and international law enforcement agencies executed a major takedown operation in February 2024, disrupting its operations temporarily. The group adapted quickly and launched LockBit 4.0, demonstrating resilience and a continued ability to evade law enforcement crackdowns.
Image 1.1 Builder is running |
Recent tests conducted by Cyber Defense Insight on the leaked builder indicate that it may be incomplete or intentionally obfuscated. When executed, the builder did not generate a fully functional ransomware executable but instead produced only a decryption key. This suggests that additional components or configurations might be required to activate the builder effectively, keeping less-experienced attackers at bay—at least temporarily.
Image 1.2 Builder failed to generate the exe file and only gave key file |
In its January 8, 2025, analysis, the REPUBLIC OF ALBANIA NATIONAL CYBER SECURITY AUTHORITY (NCSA) revealed that LockBit 4.0 leverages obfuscated PowerShell scripts, bypassing Windows AMSI and using DLL injection through GetProcAddress and VirtualAlloc to execute encrypted payloads in memory. The ransomware then applies AES and RSA encryption, swiftly locking victim files, altering system wallpapers, and dropping ransom notes demanding payment with the threat of sensitive data exposure.
The implications of these leaks are significant:
- Broader Access to Ransomware: The availability of the LockBit 4.0 builder opens doors for smaller, less-experienced cybercriminals to launch attacks using powerful ransomware variants.
- Monetization Diversification: Babuk Locker’s focus on selling decryptors instead of builder kits suggests an evolution in how ransomware gangs profit from attacks.
- Heightened Global Risk: Organizations face greater risks as the leaked builder can be used to tailor attacks that evade traditional detection mechanisms.
Recommendations for Mitigation
Given the increased availability of sophisticated ransomware tools, organizations must adopt robust cybersecurity practices, including:
- Implementing NextGen Firewalls with behavior-based threat detection.
- Network segmentation to prevent lateral movement after initial infection.
- Zero-trust security models that continuously monitor user access and behavior.
- Employee security training focused on identifying and preventing phishing attempts.
The leaks of both LockBit 4.0 and Babuk Locker builders highlight the ever-evolving tactics of ransomware groups and the need for proactive defenses. Organizations must stay vigilant by enhancing their detection and incident response capabilities to stay ahead of emerging threats.
0 Comments