Leaked LockBit builder-based ransomware impersonates employees and self-spreads: incident analysis

LockBit persists: the 2022 leaked builder remains a threat. Following a recent incident, the Kaspersky Global Emergency Response team is shedding light on an attack where adversaries crafted their own variant of encryption malware equipped with self-propagation capabilities. Exploiting stolen privileged administrator credentials, the cybercriminals breached infrastructure. This incident took place in West Africa, but other regions also experiencing attacks with builder-based ransomware, albeit lacking the sophisticated features observed in this case. 

The latest incident occurred in Guinea-Bissau and revealed that custom ransomware employs unseen techniques. It can create an uncontrolled avalanche effect, with infected hosts attempting to spread the malware further within the victim’s network. After the recent occurrence, Kaspersky is providing the detailed analysis.

Impersonation. Leveraging illicitly-acquired credentials, the threat actor impersonates the system administrator with privileged rights. This scenario is critical, as privileged accounts provide extensive opportunities to execute the attack and gain access to the ...