{
	"id": "2c3f36a1-9360-416d-a7d8-72a0a5a06dd8",
	"created_at": "2026-04-06T00:18:28.873698Z",
	"updated_at": "2026-04-10T03:20:50.264628Z",
	"deleted_at": null,
	"sha1_hash": "ee6db6bb5f704152abeefb93f2f537d70193cff0",
	"title": "Concerns grow as LockBit knockoffs increasingly target popular vulnerabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 218931,
	"plain_text": "Concerns grow as LockBit knockoffs increasingly target popular\r\nvulnerabilities\r\nBy Jonathan Greig\r\nPublished: 2023-10-19 · Archived: 2026-04-05 19:40:37 UTC\r\nHackers are using a leaked toolkit used to create do-it-yourself versions of the popular LockBit ransomware,\r\nmaking it easy for even amateur cybercriminals to target common vulnerabilities.\r\nThe LockBit ransomware gang, which has attacked thousands of organizations across the world, had the toolkit\r\nleaked in September 2022 by a disgruntled affiliate. Experts immediately expressed concerns that less-skilled\r\nhackers would be able to create their own ransomware with the tool.\r\nThose fears have now been realized, according to researchers at Sophos, who have unveiled at least two instances\r\nin recent weeks where hackers exploiting popular vulnerabilities are using makeshift ransomware strains created\r\nfrom the builder to attack organizations.\r\nLast week, Sophos reported seeing hackers attempting to exploit CVE-2023-40044 — a vulnerability affecting\r\nProgress Software’s WS_FTP Server product. Progress disclosed the bug three weeks ago and released a patch for\r\nit, but Sophos said that it still found unpatched servers.\r\nChristopher Budd, director of threat intelligence at Sophos, told Recorded Future News the only ransomware his\r\nteam observed in these attacks were compiled from the LockBit builder leaked last year.\r\nSophos shared a copy of a ransom note purportedly from “The Reichsadler Cybercrime Group” that included a\r\nreference to the heraldic eagle image used by Nazi Germany and the Holy Roman Empire. The note demands the\r\nbitcoin equivalent of $500 from the would-be target.\r\nSean Gallagher, principal threat researcher at Sophos, told Recorded Future News on Thursday that they saw a\r\nsecond situation where hackers using a LockBit knockoff were attempting to attack outdated and unsupported\r\nAdobe ColdFusion servers.\r\nThe hackers called the ransomware “BlackDogs2023” and Sophos said their systems were able to block the attack\r\nbefore it progressed. The ransom note from BlackDogs2023 requested 205 Monero (roughly $30,000) to recover\r\nthe “stolen and encrypted” data.\r\n“This is the second, recent incident of threat actors attempting to take advantage of leaked LockBit source code to\r\nspin new variants of ransomware that we’ve uncovered in recent weeks,” he said.\r\n“It’s entirely possible that other copycats will emerge, which is why it’s essential for organizations to prioritize\r\npatching and upgrading from unsupported software whenever possible. However, it’s important to note that\r\npatching only closes the hole. With things like unprotected ColdFusion servers and WS_FTP, companies need to\r\nhttps://therecord.media/lockbit-knockoffs-proliferate-leaked-toolkit\r\nPage 1 of 3\n\nalso check to make sure none of their servers are already compromised, otherwise, they’re still at risk of these\r\nattacks.”\r\nThe leak of tools used to create ransomware strains has long been a concern of researchers, who noted that\r\nhundreds of strains can be traced back to a handful of popular ransomware brands.\r\nRecorded Future ransomware expert Allan Liska said last year that his team identified more than 150 “new”\r\nransomware groups, most of which are using code stolen from defunct ransomware gangs like Conti or REvil.\r\nAbout one in every six ransomware attacks targeting U.S. government offices in 2022 were traced back to\r\nLockBit, according to June advisory from several U.S. law enforcement agencies. The gang has brought in about\r\n$91 million in ransoms from U.S. victims since its first reported attack in the country in January 2020.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/lockbit-knockoffs-proliferate-leaked-toolkit\r\nPage 2 of 3\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/lockbit-knockoffs-proliferate-leaked-toolkit\r\nhttps://therecord.media/lockbit-knockoffs-proliferate-leaked-toolkit\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/lockbit-knockoffs-proliferate-leaked-toolkit"
	],
	"report_names": [
		"lockbit-knockoffs-proliferate-leaked-toolkit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434708,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee6db6bb5f704152abeefb93f2f537d70193cff0.pdf",
		"text": "https://archive.orkl.eu/ee6db6bb5f704152abeefb93f2f537d70193cff0.txt",
		"img": "https://archive.orkl.eu/ee6db6bb5f704152abeefb93f2f537d70193cff0.jpg"
	}
}