LockBit 3.0 Ransomware: An evolving threat that challenges network defenses and mitigations

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have released a joint cybersecurity advisory regarding LockBit 3.0 ransomware, an evolving threat that challenges network defenses and mitigations.

Published on March 16, 2023, the advisory includes known LockBit 3.0 indicators of compromises (IOCs) and tactics, techniques, and procedures (TTPs) as identified through FBI investigations as recently as this month.

CISA described the LockBit 3.0 ransomware threat as an evolution of previous LockBit strains:

The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.

CISA

Moreover, CISA warned that LockBit 3.0 (aka “LockBit Black”) is more modular and evasive than its previous versions. The ransomware also shares similarities with Blackmatter and Blackcat ransomware.

Blackmatter had been known to target multiple U.S. critical infrastructure entities, to include two U.S. Food and Agriculture Sector organizations in 2021.

BlackCat (also known as ALPHV) RaaS, had compromised at least 60 entities worldwide as of March 2022. BlackCat was also the first ransomware group that had used RUST, a secure programming language designed for performance and reliable concurrent processing.

LockBit 3.0

Last October, researchers discovered a ransomware attack involving LockBit 3.0 launched against Advanced, a managed IT and software provider to the UK National Health Service with 25,000 customers and 2,700 employees.

In the latest attacks revealed as recently as March 2023, CISA said LockBit 3.0 involves different technical capabilities:

LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware.

CISA

For example, LockBit can protect the code by enforcing mandatory passwords in order to execute the ransomware executable.

As a result, LockBit 3.0 can hide from malware detection and analysis since the malicious code can’t be executed or read while it is encrypted.

After initially gaining access to victim’s networks (such as via RDP exploits, phishing campaigns or drive-by compromises), LockBit 3.0 will attempt to spread laterally on the network by using a preconfigured list of credentials hardcoded at compilation time or via a compromised local account with elevated privileges.

In addition, LockBit may abuse Windows Group Policy Objects (GPOs) and PsExec via the Server Message Block (SMB) protocol. 

CISA also described how the ransomware uses custom and open-source tools to steal data:

LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption.

CISA

Readers can check out the Cybersecurity Advisory for more details on the LockBit 3.0 IOCs, TTPs and recommended mitigations.

Organizations are highly encouraged to prioritize the remediation of exploited vulnerabilities, train users to recognize/report phishing attempts, and enable/enforce phishing-resistant multifactor authentication.

Related Articles