The builder was leaked online in after a disgruntled developer reportedly stole the code from the LockBit ransomware-as-a-service (RaaS) group. It was initially shared via Twitter accounts like @ali_qushji and @protonleaks , and the code has since been mirrored on platforms like GitHub .
According to researchers from ThreatDown and Thales Group , the password-protected archive typically contains four critical files that simplify the ransomware creation process: LockBit3Builder.7z
is the filename of a leaked software package that allows anyone to generate custom versions of the LockBit 3.0 ransomware, also known as "LockBit Black". Overview of the Leak The builder was leaked online in after a
: The core executable used to compile the final ransomware payload. Overview of the Leak : The core executable
: A batch file that automates the compilation of the ransomware binaries. Technical Capabilities
: A modifiable configuration file that allows the attacker to customize ransom notes, target specific file extensions, and set command-and-control (C2) details.
: A tool to generate unique encryption and decryption keys.