Kaspersky researchers noted hundreds of new ransomware variants rising from LockBit 3.0 code leak that let threat actors of all kinds make their ransomware software.

Researchers noted about 396 samples related to LockBit, although some differences in ransom notes, decryption key paths, communications, etc. While some credited the LockBit gang for their builders, some didn’t.

Paving Path to Similar Ransomware Gangs

In the world of cybersecurity, ransomware groups are considered as an elite class for their techniques, targets and consequences. Some countries even fund the form of an official threat group, called Advanced Persistent Threats, to steal intelligence from rival nations.

Thus, any matter concerning them should be carefully handled. Though several security researchers and companies tackle them when needed, threat actors are evolving with new techniques to hit their targets.

And those who can’t develop tools by themselves often copy popular malware and tune it to their needs. One such incident happened when LockBit 3.0 source code was leaked last year, leading other threat actors to make similar ransomware.

Kaspersky researchers noted a new group seemingly formed from LockBit code but have a few differences. Naming it the National Hazard Agency, researchers spotted this LockBit variant on a recent intrusion against a target.

Though it’s similar in most kinds, the National Hazard Agency has revamped its ransom note to mention the ransom demand directly in it – unlike LockBit, which directs the victim to contact them for negotiation.

This aside, some researchers have also spotted other LockBit variants, called Bl00dy and Buhti, in different incidents. Overall, Kaspersky noted a total of 396 distinct LockBit samples in its telemetry, with 77 samples making no reference to “LockBit” in the ransom note.

Similarly, ransomware groups like Trigona, Monti, and Akira are formed from the leaked code of other popular ransomware malware, with Akira being linked to the Conti group.