LockBit 3.0 Source Code and Builder Leaked by Disgruntled Developer

The LockBit ransomware-as-a-service operation suffered a significant operational setback today after a disgruntled developer leaked the group's LockBit 3.0 (also known as LockBit Black) ransomware builder on Twitter.

The leaked toolkit, packaged as "LockBit3Builder," allows anyone to generate custom LockBit 3.0 payloads complete with configurable encryption parameters, exclusion lists, and ransom note text. The leak was first noticed by security researcher 3xp0rt, who shared screenshots and analysis on social media.

LockBit's main operator, who goes by "LockBitSupp," confirmed the leak on the group's data-leak site and blamed a developer the group had hired and subsequently dismissed. LockBitSupp claimed the operation would continue and that the leak primarily affected an outdated build.

Security researchers reacted with measured concern. "The leak doesn't materially change LockBit's operational capacity," said Allan Liska, ransomware analyst at Recorded Future. "What it does do is significantly lower the bar for less sophisticated affiliates and copycats to deploy LockBit-derivative payloads, which complicates attribution and incident response."

Within weeks, the leaked builder had been observed in attacks attributed to at least three other extortion groups operating under unrelated brand names — a phenomenon that researchers say has become characteristic of the post-leak ransomware ecosystem, in which capable encryptors quickly proliferate across loosely coordinated affiliates.