Fake Lockbit 5.0 silliness and 3 layers of ransomware lasagna

Previously an unknown person contacted me claiming they had the source code to Lockbit 5.0. Based on the nature of conversation, and details revealed to me, I suspected they were not lying. After I briefly reviewed the code, I believed it was indeed the source code to Lockbit 5.0 (Linux, ESXI). I wrote that I wanted to share the source code with security researchers (primarily defenders) so people could make detection rules for it. Following this, I would release the source code on GitHub.

After I shared the code with some colleagues from HuntressLabs, FlashPoint, Halcyon, and some other places (can't remember where they work), some really funny things were discovered.

Fabian Wosar quickly noted it was a variant of Babuk ransomware (leaked a long time ago). Likewise, nerds from HuntressLabs and FlashPoint noted this code didn't contain the obfuscation which was present in current Lockbit 5.0 binaries. However, this variant of Babuk (fake Lockbit 5.0) was improved upon.

As these conversations took place I was contacted by a ransomware operator who coincidentally told me intimate details about the "Lockbit 5.0" source code I had not shared publicly (such as requiring a batch file for building the code base).

The 2nd image is a picture the ransomware operator sent to me. This is the exact code I received from this unknown person.

How did this ransomware operator have the exact same code I have and how did they know it used a batch file for building? The source code was written by someone with the intention of impersonating Lockbit ransomware group during ransomware incidents. Furthermore, it was sold to Threat Actors for $3,000 with the expectation of exclusivity.

tl;dr ransomware group impersonating a ransomware group by using code from an old ransomware group. It is a 3 layer lasagna of ransomware. Whether or not this has been deployed in the wild I'm unsure of. More research is required. Collaboration is required, or retrohunting, or something. I don't know.