LockBit ransomware error would have allowed victims to recover their files without paying ransom to hackers

A ransomware specialist has discovered a flaw in LockBit malware code that could have been used to remove encryption for free and without having to negotiate with threat actors. LockBit is one of the most popular encryption malware variants nowadays, operating as a ransomware as a service (RaaS) platform at least since January 2020.

Just like other RaaS platforms, LockBit customers manage the cyberattacks to infect the affected network with this variant of ransomware, requiring administrators to pay a ransom to restore the systems to normal.

This payment must be made through a platform hosted on dark web, usually in cryptocurrency. LockBit operators even offer victims the ability to decrypt a file for free, as confirmation that cybercriminals have the right decryption tool.

On the flaw found by the researcher, the report was posted on an illegal hacking forum in which it is mentioned that an error in the free encryption mechanism described above could have been exploited to decrypt files unlimitedly. Although this report did not include additional evidence, the claims were confirmed by Bassterlord, a renowned Russian hacker who has collaborated with multiple ransomware groups, including LockBit, REvil, Avaddon and RansomExx.

As in similar incidents reported above, the cybersecurity community expects malware developers to update their code. A recent malwarebytes report mentions that the platform was down for a couple of days, which could mean that the malware has already been updated.  

While it was difficult for victims to recover all their encrypted information, this error may certainly have been exploited massively by a large number of victims. 

This flaw would certainly have proved somewhat beneficial to victims of this malware variant, so in the cybersecurity community a new policy debate has begun to address such an infection. John Fokker, McAfee’s director of security research, believes that any errors related to these infections should ideally be reported to those in charge of the No More Ransom security project, or to cybersecurity services firms.

LockBit infections reported during 2021

“These organizations have perfectly established mechanisms to use this information for the sake of cybercrime victims before malware developers can fix bugs,” the expert says.

Fokker also considers that this recommendation applies to all potential ransomware victims, from individual users to entire organizations, as well as independent researchers and security firms.