Quick Overview of Leaked LockBit 3.0 (Black) builder program
By S2W
Published: 2022-09-23 · Archived: 2026-04-10 02:25:27 UTC
6 min read
Sep 22, 2022
Author: HuiSeong, Yang & Hyunsik, Jeong | S2W TALON
Last Modified : Sep 22, 2022
Press enter or click to view image in full size
https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085
Page 1 of 8

Photo by Niranjan _ Photographs on Unsplash
Executive Summary
According to a tweet from 3xp0rt, Ali Qushji was able to infiltrate LockBit’s server and acquire the builder
for the ransomware
According to vx-underground, Proton, one of the programmers for the LockBit ransomware group,
mentioned that the builder was leaked, but the tweet has now been deleted.
Press enter or click to view image in full size
https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085
Page 2 of 8

The ransomware group indirectly admitted that the allegations above are true, saying that nothing has been
hacked and that they have fired the coder.
LockBit 3.0 Builder leaked by Ali Kushii and Proton are both shared on 3xp0rt’s Github.
Detailed Analysis
Press enter or click to view image in full size
https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085
Page 3 of 8

LockBit builder flowchart
1. Build.bat
Build.bat creates an RSA public/private key pair by executing Keygen.exe , and Builder.exe that generates
a LockBit 3.0 ransomware using the generated key pair.
ERASE /F /Q %cd%\Build\*.*
keygen -path %cd%\Build -pubkey pub.key -privkey priv.key
builder -type dec -privkey %cd%\Build\priv.key -config config.json -ofile %cd%\Build\LB3Decryptor.exe
builder -type enc -exe -pubkey %cd%\Build\pub.key -config config.json -ofile %cd%\Build\LB3.exe
builder -type enc -exe -pass -pubkey %cd%\Build\pub.key -config config.json -ofile %cd%\Build\LB3_pas
builder -type enc -dll -pubkey %cd%\Build\pub.key -config config.json -ofile %cd%\Build\LB3_Rundll32
builder -type enc -dll -pass -pubkey %cd%\Build\pub.key -config config.json -ofile %cd%\Build\LB3_Run
builder -type enc -ref -pubkey %cd%\Build\pub.key -config config.json -ofile %cd%\Build\LB3_Reflectiv
exit
Press enter or click to view image in full size
Command line description
The list of files created after execution is as follows.
Files created after executing Build.bat
2. config.json
https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085
Page 4 of 8

config.json is a JSON configuration file that contains the setting values to be used when generating LockBit
3.0 Encryptor and Decryptor.
bot: Configuration about the bot feature stealing information from infected devices (Not used)
config: Configuration values that determine the behaviors for the LockBit 3.0 ransomware
Press enter or click to view image in full size
Configuration description
white_folders: List of folders to exclude from encryption
white_files: List of files to exclude from encryption
white_extens: List of extensions to exclude from encryption
white_hosts: List of hostnames to exclude from encryption
kill_processes: List of processes to be terminated before encryption
kill_services: List of services to be terminated before encryption
gate_urls: List of URLs to be used as the C2 server
impers_accounts: List of credentials to be used for logon
note: Ransom note content
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~
>>>> Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
Links for Tor Browser:http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionhttp://loc
>>>> AdvertisementWould you like to earn millions of dollars $$$ ?Our company acquire access to netwo
If you want to contact us, write in jabber or tox.Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3
3. Builder.exe
https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085
Page 5 of 8

Builder.exe is a tool to generate LockBit 3.0 Encryptor and Decryptor. Encryptor and Decryptor are embedded
in the resource section.
100: LockBit 3.0 Decryptor (EXE)
101: LockBit 3.0 Encryptor (EXE)
103: LockBit 3.0 Encryptor (DLL)
106: LockBit 3.0 Encryptor (Reflective DLL)
The parameters used during execution are as follows.
Get S2W’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
-type
enc: Generate Encryptor
dec: Generate Decryptor
-config
Configuration file path
-exe, -dll, -ref(reflectiveDLL)
File type to be created
-pass
When creating an Encryptor, the password required to execute the Encryptor
Passwords required to execute Encryptor are stored in Password_exe.txt and Password_dll.txt
respectively
-pubkey, -privkey
Path of the key file to be used when creating Encryptor and Decryptor
-ofile
File path to save
4. Keygen.exe
Keygen.exe is a tool that generates key pairs required for encryption. The parameters used during execution are
as follows.
-path : Folder path to save generated key pair file
https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085
Page 6 of 8

-pubkey : File name to use for Encryptor as public key (256 bytes)
— The first 128 bytes contain e value (fixed at 65537), and the last 128 bytes contain N value
-privkey : File name to use for Encryptor as private key (256 bytes)
— The first 128 bytes contain d value and the last 128 bytes contain N value
Key generation is performed as follows.
keygen.exe is written based on MIRACL.
Generates an RSA-1024 key to encrypt the file encryption key, and the e value is fixed to 65537.
When generating 512-bit prime numbers p and q, create a 256-byte seed with the rdrand x86 instruction.
Then, pass the seed to the strong_init function of MIRACL to initialize the CSPRNG defined in
mrstrong.c, and use the strong_bigdig function to get a 512-bit value, which will be used for generating a
prime number.
The keygen.exe uses a modified version of MIRACL, which uses RIPEMD-160 instead of SHA-256
inside the CSPRNG from mrstong.c.
Afterward, a 16-byte Decryption ID is generated to identify the infected PC and stored in the
DECRYPTION_ID.txt file.
File information
1. Build.bat
MD5 : 4e46e28b2e61643f6af70a8b19e5cb1f
SHA-1 : 804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA-256 : 8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
FileType : BAT
2. config.json
MD5 : a6ba7b662de10b45ebe5b6b7edaa62a9
SHA-1 : f3ed67bdaef070cd5a213b89d53c5b8022d6f266
SHA-256 : 3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8
FileType : json
3. Builder.exe
MD5 : c2bc344f6dde0573ea9acdfb6698bf4c
SHA-1 : d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA-256 : a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
CreationTime : 2022–09–14 08:31:18
FileType : EXE
https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085
Page 7 of 8

4. Keygen.exe
MD5 : 71c3b2f765b04d0b7ea0328f6ce0c4e2
SHA-1 : bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4
SHA-256 : ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37
CreationTime : 2022–09–09 08:58:31
FileType : EXE
Source: https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085
https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085
Page 8 of 8