# Fake Lockbit 5.0 silliness and 3 layers of ransomware lasagna

Previously an unknown person contacted me claiming they had the source code to Lockbit 5.0. Based on the nature of conversation, and details revealed to me, I suspected they were not lying. After I briefly reviewed the code, I believed it was indeed the source code to Lockbit 5.0 (Linux, ESXI). I wrote that I wanted to share the source code with security researchers (primarily defenders) so people could make detection rules for it. Following this, I would release the source code on GitHub.

After I shared the code with some colleagues from HuntressLabs, FlashPoint, Halcyon, and some other places (can't remember where they work), some really funny things were discovered.

Fabian Wosar quickly noted it was a variant of Babuk ransomware (leaked a long time ago). Likewise, nerds from HuntressLabs and FlashPoint noted this code didn't contain the obfuscation which was present in current Lockbit 5.0 binaries. However, this variant of Babuk (fake Lockbit 5.0) was improved upon.

As these conversations took place I was contacted by a ransomware operator who coincidentally told me intimate details about the "Lockbit 5.0" source code I had not shared publicly (such as requiring a batch file for building the code base).

<figure><img src="/files/4rhD7qBI8X1rl9RF3OLk" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/RrOV2HrLilkV51c5Sia0" alt=""><figcaption></figcaption></figure>

The 2nd image is a picture the ransomware operator sent to me. This is the exact code I received from this unknown person.

How did this ransomware operator have the exact same code I have and how did they know it used a batch file for building? The source code was written by someone with the intention of impersonating Lockbit ransomware group during ransomware incidents. Furthermore, it was sold to Threat Actors for $3,000 with the expectation of exclusivity.

<figure><img src="/files/flnG6X5dZhkzc5U9nlRW" alt=""><figcaption></figcaption></figure>

tl;dr ransomware group impersonating a ransomware group by using code from an old ransomware group. It is a 3 layer lasagna of ransomware. Whether or not this has been deployed in the wild I'm unsure of. More research is required. Collaboration is required, or retrohunting, or something. I don't know.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://malwaresourcecode.com/home/my-projects/write-ups/fake-lockbit-5.0-silliness-and-3-layers-of-ransomware-lasagna.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.