{
	"id": "3c4e3e18-2ea5-4105-a0aa-9f4257adf6ed",
	"created_at": "2026-04-06T00:10:53.525241Z",
	"updated_at": "2026-04-10T03:25:41.16969Z",
	"deleted_at": null,
	"sha1_hash": "bf339d0f493ab4f4f10f285871989af027ecdee6",
	"title": "LockBit ransomware builder leaked online by \"angry developer\"",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4431770,
	"plain_text": "LockBit ransomware builder leaked online by \"angry developer\"\r\nBy Lawrence Abrams\r\nPublished: 2022-09-21 · Archived: 2026-04-05 20:27:20 UTC\r\nThe LockBit ransomware operation has suffered a breach, with an allegedly disgruntled developer leaking the builder for the\r\ngang's newest encryptor.\r\nIn June, the LockBit ransomware operation released version 3.0 of their encryptor, codenamed LockBit Black, after testing it\r\nfor two months.\r\nThe new version promised to 'Make Ransomware Great Again,' adding new anti-analysis features, a ransomware bug bounty\r\nprogram, and new extortion methods.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nHowever, it looks like LockBit has suffered a breach, with two people (or maybe the same person) leaking the LockBit 3.0\r\nbuilder on Twitter.\r\nLockBit 3.0 builder leaked on Twitter\r\nAccording to security researcher 3xp0rt, a newly registered Twitter user named 'Ali Qushji' states their team hacked\r\nLockBits servers and found a builder for the LockBit 3.0 ransomware encryptor.\r\nAfter security researcher 3xp0rt shared the tweet about the leaked LockBit 3.0 builder, VX-Underground shared that they\r\nwere contacted on September 10th by a user named 'protonleaks,' who also shared a copy of the builder.\r\nHowever, VX-Underground says that LockBitSupp, the public representative of the LockBit operation, claims they were not\r\nhacked, but rather a disgruntled developer leaked the private ransomware builder.\r\n\"We reached out to Lockbit ransomware group regarding this and discovered this leaker was a programmer employed by\r\nLockbit ransomware group,\" VX-Underground shared in a now-deleted tweet.\r\n\"They were upset with Lockbit leadership and leaked the builder.\"\r\nBleepingComputer has spoken to multiple security researchers who have confirmed that the builder is legitimate.\r\nBuilder lets anyone start a ransomware gang\r\nRegardless of how the private ransomware builder was leaked, this is not only a severe blow to the LockBit ransomware\r\noperation but also to the enterprise, which will see a rise in threat actors using it to launch their own attacks.\r\nThe leaked LockBit 3.0 builder allows anyone to quickly build the executables required to launch their own operation,\r\nincluding an encryptor, decryptor, and specialized tools to launch the decryptor in certain ways.\r\nThe builder consists of four files, an encryption key generator, a builder, a modifiable configuration file, and a batch file to\r\nbuild all of the files.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/\r\nPage 3 of 6\n\nLockBit 3.0 builder files\r\nSource: BleepingComputer\r\nThe included 'config.json' can be used to customize an encryptor, including modifying the ransom note, changing\r\nconfiguration options, deciding what processes and services to terminate, and even specifying the command and control\r\nserver that the encryptor will send data.\r\nBy modifying the configuration file, any threat actor can customize it to their own needs and modify the created ransom note\r\nto link to their own infrastructure.\r\nLockBit 3.0 configuration file\r\nSource: BleepingComputer\r\nWhen the batch file is executed, the builder will create all of the files necessary to launch a successful ransomware\r\ncampaign, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/\r\nPage 4 of 6\n\nRansomware executables created by the LockBit 3.0 builder\r\nSource: BleepingComputer\r\nBleepingComputer tested the leaked ransomware builder and was easily able to customize it to use our own local command\r\nand control server, encrypt our files, and then decrypt them, as shown below.\r\nDemonstration of the built LockBit 3.0 decryptor\r\nSource: BleepingComputer\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/\r\nPage 5 of 6\n\nThis builder is not the first time a ransomware builder or source code was leaked online, leading to increased attacks by\r\nother threat actors who launched their own operations.\r\nIn June 2021, the Babuk ransomware builder was leaked, allowing anyone to create encryptors and decryptors for Windows\r\nand VMware ESXi, which other threat actors used in attacks.\r\nIn March 2022, when the Conti ransomware operation suffered a data breach, their source code was leaked online as well.\r\nThis source code was quickly used by the NB65 hacking group to launch ransomware attacks on Russia.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/"
	],
	"report_names": [
		"lockbit-ransomware-builder-leaked-online-by-angry-developer-"
	],
	"threat_actors": [
		{
			"id": "f547e816-ea17-442e-915d-c5c76a30669b",
			"created_at": "2022-10-25T16:07:23.891717Z",
			"updated_at": "2026-04-10T02:00:04.780944Z",
			"deleted_at": null,
			"main_name": "NB65",
			"aliases": [],
			"source_name": "ETDA:NB65",
			"tools": [
				"NB65"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8754f54b-7154-4996-b065-94f04f846022",
			"created_at": "2023-11-07T02:00:07.095161Z",
			"updated_at": "2026-04-10T02:00:03.405596Z",
			"deleted_at": null,
			"main_name": "NB65",
			"aliases": [
				"Network Battalion 65"
			],
			"source_name": "MISPGALAXY:NB65",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434253,
	"ts_updated_at": 1775791541,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf339d0f493ab4f4f10f285871989af027ecdee6.pdf",
		"text": "https://archive.orkl.eu/bf339d0f493ab4f4f10f285871989af027ecdee6.txt",
		"img": "https://archive.orkl.eu/bf339d0f493ab4f4f10f285871989af027ecdee6.jpg"
	}
}