The LockBit ransomware builder (version 3.0) has been leaked online, allegedly by its angry developers. It is suspected that two people (or the same person) leaked the 3.0 builder (also known as LockBit Black) on Twitter.

LockBit’s builder leaked

  • Security researcher 3xp0rt first disclosed that a newly registered Twitter user Ali Qushji (@ali_qushji) claimed that his team had compromised LockBit’s servers and discovered a builder for the LockBit 3.0 encryptor.
  • After this disclosure, research agency VX-Underground revealed that they also were contacted by a user protonleaks (@protonleaks1) on September 10, who shared a copy of the builder.
  • VX-Underground further claims that LockBitSupp, the public representative of LockBit, clarified that the group was not hacked. Instead, a miffed developer had leaked the private ransomware builder code.

It was found out that this leaker was a programmer hired by the ransomware group. The programmer was upset with LockBit leadership and leaked the builder in retaliation.

About the leaked builder

The leak of the private ransomware builder is a serious blow to the LockBit ransomware operation.
  • The leaked builder includes a password-protected 7z archive LockBit3Builder.7z.
  • This contains four files: a batch file (build.bat), a builder (builder.exe), a modifiable configuration file (config.json), and an encryption key generator (keygen.exe).
  • These files allow anyone to build the executables to launch their own operation, such as an encryptor, decryptor, and special tools to execute the decryptor in specific ways.
  • Moreover, the configuration file allows customizations such as modifications in the ransom notes, specifying C2 servers, and much more for its users.


The recent leak is a serious concern for the security community, as more threat actors are expected to use the builder to develop their own ransomware. For staying protected, organizations are suggested to invest more in cybersecurity solutions, with a focus on making the best use of a threat intel platform.
Cyware Publisher