Although it’s been only a week since the newest LockBit 3.0 ransomware builder has been leaked online, security researchers are already detecting attacks using ransomware created with the help of this tool.

The builder includes a configuration file that can easily be customized to use different ransom notes, statistics servers, and features, allowing anyone to create their own ransomware.

Cybersecurity researcher Vladislav Radetskiy has shared details about a recent Bl00Dy Ransomware Gang ransomware attack utilizing an encryptor built using the recently released LockBit 3.0 builder against a Ukrainian entity. Bl00Dy Ransomware Gang is a relatively new operation first spotted in May 2022 when they attacked a group of medical and dental practices in New York.

Like other ransomware operations, Bl00Dy Ransomware Gang compromises corporate networks, steals data and encrypts devices. In order to extort victims and leak stolen data threat actors use Telegram channels. It appears that the group doesn’t develop their ransomware independently, but rather uses previously leaked ransomware builders.

The analysis of the Bl00Dy Ransomware Gang’s encryptor conducted by tech news site BleepingComputer revealed some differences between the new encryptor and those used in the previous attacks.

“In past campaigns, the threat actors added the .bl00dy extension for encrypted files. However, as this is not a customizable option in the LockBit 3.0 builder, the threat actors are left using extensions determined when the encryptor is built,” according to BleepingComputer.

“As LockBit 3.0 is one of the more advanced, feature-rich ransomware operations at this time, we should expect other threat actors to launch new operations using the leaked builder,” the experts added.