Skip to main content

Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) for the LockBit 3.0 ransomware have been outlined in a new joint cybersecurity advice issued by several U.S. government organisations.

Officials have said that “the LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model,” which is a continuation of the ransomware’s earlier incarnations, LockBit 2.0 and LockBit.

U.S. law enforcement organisations including the FBI, CISA, and the Multi-State Information Sharing & Analysis Center issued the warning. (MS-ISAC).

LockBit actors first appeared in late 2019, and since then they’ve put in a lot of time and work developing and refining their malware, releasing two big updates: LockBit 2.0 in the middle of 2021 and LockBit 3.0 in June 2022. LockBit Red and LockBit Black are alternate names for the two variations.

In order to perform particular actions like lateral movement and rebooting into Safe Mode, “LockBit 3.0 accepts additional arguments,” as the warning puts it. LockBit affiliates are required to provide a password argument while executing LockBit 3.0 ransomware unless they have access to the password-less version of the ransomware.

In addition, the ransomware is programmed to avoid infecting computers whose language settings are identical to those on an exclusion list, which currently excludes Romanian (Moldova), Arabic (Syria), and Tatar. (Russia).

Exploiting remote desktop protocol (RDP), drive-by compromise, phishing tactics, abusing legitimate accounts, and weaponizing public-facing apps are all common entry points into target networks.

The virus first establishes persistence, elevates rights, performs lateral movement, and deletes log files, Windows Recycle Bin files, and shadow copies after successfully breaching the system’s defences.

In their intrusions, “LockBit affiliates have been observed using various freeware and open source tools,” the authorities claimed. Many other types of attacks may be carried out with the use of these instruments, including “credential dumping,” “credential harvesting,” “file exfiltration,” and “remote access and tunnelling.”

In order to doubly extort money from its affiliates, the LockBit organisation distributes a specialised exfiltration programme called StealBit.

In late September 2022, a dissatisfied LockBit developer published the building code for LockBit 3.0, dealing a severe blow to the ransomware gang and raising worries that other criminal actors may take advantage of the situation and spawn their own variations.

The LockBit ransomware strain has been deployed against at least 1,000 victims globally, the U.S. Department of Justice said in November, earning the criminal organisation over $100 million in illegal earnings.

As reported earlier this year by industrial cybersecurity company Dragos, LockBit 3.0 was responsible for 21% of 189 ransomware assaults recorded in Q4 2022, accounting for 40 occurrences. The industrial and food industries were hit particularly hard by the assaults.

According to the FBI’s Internet Crime Complaint Center (IC3)’s most recent Internet Crime Report, the top three ransomware variants targeting critical infrastructure in 2022 were LockBit (149 victims), BlackCat (114 victims), and Hive (87 victims).

Months after antivirus firm Avast provided a free decryptor in January 2023, the BianLian ransomware organisation has altered its emphasis from encrypting its victims’ files to pure data-theft extortion attempts, prompting the alert.

As a related move, Kaspersky has released a free decryptor to assist victims whose data has been locked down by ransomware based on the Conti source code, which leaked after Russia’s invasion of Ukraine last year resulted to internal disagreement among the core members.

It’s easy to forget that individuals are operating these criminal companies, Intel 471 warned a year ago, given the complexity of ransomware like LockBit 3.0 and Conti Ransomware Variant. It just takes one troublemaker, as is the case with genuine groups, to destabilise a sophisticated system.

#StopRansomware: LockBit 3.0 – CISA Report

Ref Link: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

Leave a Reply