The Rise of LockBit Knockoffs: A Cautionary Tale in Cybersecurity


Published on Oct 20, 2023   —   4 min read

In the shadowy corridors of the cyber underworld, imitation isn't just the sincerest form of flattery—it's a blueprint for chaos. The LockBit ransomware, notorious for its sophisticated attacks, has now spawned a new breed of cyber threats. Thanks to a leaked toolkit, the barriers to entry have crumbled, allowing even novice hackers to craft their own versions of this malicious software. This alarming development, highlighted by The Record, isn't just a footnote in cybersecurity chronicles; it's a glaring headline that demands our immediate attention.

The Leaked Toolkit: A Pandora's Box

In September 2022, a disgruntled affiliate leaked the toolkit used by the LockBit ransomware gang. This toolkit was essentially a "do-it-yourself" kit for creating ransomware. Experts immediately raised red flags, fearing that less skilled hackers would now have the ability to create their own ransomware strains.

The Realization of Fears

When the LockBit toolkit was initially leaked, cybersecurity experts sounded the alarm, warning that the tools could fall into the wrong hands and lead to a new wave of ransomware attacks. Researchers at Sophos have now confirmed that these fears were not unfounded. They've identified at least two instances where hackers have exploited popular vulnerabilities using ransomware strains crafted from the leaked toolkit. One such instance involved the exploitation of CVE-2023-40044, a vulnerability that affects Progress Software’s WS_FTP Server product. This wasn't a random shot in the dark; it was a targeted attack that leveraged known vulnerabilities, underscoring the fact that the theoretical risks posed by the toolkit leak have transitioned into tangible threats.

Sophos' findings also revealed a concerning detail: despite a patch being available for the CVE-2023-40044 vulnerability, they discovered servers that remained unpatched. This is a glaring example of the cybersecurity complacency that can turn manageable risks into full-blown crises. It's not just the hackers who are becoming more sophisticated; it's also the organizations themselves that are failing to keep pace. The availability of a patch is meaningless if it's not applied, and this oversight provides cybercriminals with the openings they need to infiltrate systems. The Sophos report serves as a cautionary tale, emphasizing the urgent need for organizations to not only be aware of emerging threats but also to act swiftly in addressing them.

The New Players: Reichsadler and BlackDogs2023—A Closer Look at the Emerging Threats

In the wake of the LockBit toolkit leak, cybersecurity researchers have identified new ransomware strains that are capitalizing on this unfortunate event. Two such strains that have caught the attention of Sophos are "The Reichsadler Cybercrime Group" and "BlackDogs2023." Let's delve into the unique characteristics and tactics of these new players.

The Reichsadler Cybercrime Group: Small Demands, Big Implications

At first glance, the Reichsadler Cybercrime Group may not seem like a significant threat, especially with a ransom demand of just $500 in Bitcoin. However, it's the symbolism and the ease with which they've entered the ransomware arena that's concerning. Their ransom note includes references to the heraldic eagle image used by Nazi Germany and the Holy Roman Empire, signaling a potentially dangerous ideological bent. The low ransom amount could also indicate that they are testing the waters, gauging the success rate of their attacks before scaling up.

BlackDogs2023: A Heftier Price Tag and a Lesson in Complacency

In contrast, BlackDogs2023 is making its presence felt with a much heftier ransom demand—205 Monero, equivalent to roughly $30,000. This group is targeting outdated and unsupported Adobe ColdFusion servers, a clear indication that they've done their homework. Sophos was able to block their attack, but the fact that they targeted such specific vulnerabilities suggests a more calculated approach.

The Common Thread: Exploiting the Vulnerable

Both groups are exploiting outdated and unsupported software, making it abundantly clear that organizations can no longer afford to be complacent. The Reichsadler and BlackDogs2023 strains are a wake-up call for organizations to prioritize not just patching, but also upgrading their software systems.

The Implications: A New Wave of Cyber Threats

The emergence of these new strains underscores the ripple effect that a single toolkit leak can have on the cybersecurity landscape. It's not just about the Reichsadler and BlackDogs2023 groups; it's about the countless other potential strains that could emerge, each with its own set of tactics and targets.

The Bigger Picture

The leak of such toolkits is not a new phenomenon. Researchers have long been concerned about this, as hundreds of ransomware strains can be traced back to a handful of popular brands. Allan Liska, a ransomware expert, noted that most new ransomware groups are using code stolen from defunct gangs like Conti or REvil.


The proliferation of LockBit knockoffs serves as a stark and unsettling reminder of the inherent vulnerabilities in our interconnected digital landscape. The leak of the LockBit toolkit has essentially democratized the tools of cyber warfare, lowering the barriers to entry for amateur hackers. This isn't just a minor hiccup in the world of cybersecurity; it's a seismic event that has the potential to reshape the threat landscape. The ease with which new players like Reichsadler and BlackDogs2023 have entered the arena underscores the urgency of the situation.

However, every cloud has a silver lining, and in this case, it's the wake-up call that organizations desperately needed. The emergence of these knockoffs should serve as a catalyst for companies to reevaluate and tighten their cybersecurity protocols. In a way, the LockBit knockoffs have done us a grim favor: they've shown us, in no uncertain terms, the gaps in our armor that urgently need to be fortified.


Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.