The "LockBit Black" (also known as LockBit 3.0) builder is a proprietary tool originally used by the LockBit ransomware-as-a-service (RaaS) gang. It allows users to generate customized ransomware executables, decryptors, and the specialized tools needed to launch an attack.
: Attackers have used the builder to create specialized versions of ransomware targeting specific industries, such as healthcare or local governments. Security Implications LockBit-Black-Builder.zip
The availability of this builder shifted the threat landscape in several ways: The "LockBit Black" (also known as LockBit 3
: Amateur hackers who lack the skills to write their own malware can now generate sophisticated ransomware with a few clicks. : Numerous groups, such as "Bl00dy" and "Buhti,"
While the builder is widely available, its use remains highly illegal and dangerous. For defenders, the leak provided a double-edged sword: while it increased the number of attacks, it also gave security researchers the "blueprints" to better understand how LockBit 3.0 functions, leading to improved detection rules and behavioral analysis.
: Numerous groups, such as "Bl00dy" and "Buhti," have been observed using modified versions of the LockBit 3.0 code to launch their own campaigns under different names.
: Because so many different actors now use the same underlying code, it is much harder for security researchers to definitively attribute an attack to the original LockBit gang.