The leak of a builder for #LockBitBlack might have given us an intriguing hint. Take a look at the screenshot for the default config file. See the password 123QWEqwe? Keep it in mind for now. 🧵
https://twitter.com/3xp0rtblog/status/1572510793861836802
For most of the leaks of data stolen by #LockBit affiliates, we have a name. Like in this screenshot. In this case, it’s most likely the default name for Windows VPS machines at some hosting providers. @SHODAN data suggests that. 
@SHODAN Now, where does that machine name come from? It’s set by #StealBit, the homemade exfiltration tool of #LockBit. @cybereason dug into it. cybereason.com/blog/research/…
@SHODAN @cybereason But @cybereason didn't consider that #StealBit might not be used to exfiltrate directly from the victim’s systems to #LockBit servers: the machine name of a VPS suggests that it might be used in a 2nd stage of exfiltration, from a VPS used in the attack, to LockBit servers.
This is where we get back to the password, mentioned in the beginning of this thread. Do you see the machine name in this screenshot? Rings a bell?
It's not just one case. Since the launch of LockBit 3.0, I spotted more of them. And I remember seeing the same machine name for several LockBit 2.0 victims.
Now, what does that tell us? We're dealing with a default config file of a builder with a password pretty similar to the name of machine used in attacks with LockBit. This could suggest the involvement a core member of the #LockBit ransomware operation for those victims 🤷♂️
• • •
Missing some Tweet in this thread? You can try to
force a refresh
