LockBit 3.0 Ransomware: Inside the Cyberthreat That’s Costing Millions

1 year ago AndyC

U.S.
government
agencies
have
released
a
joint
cybersecurity
advisory
detailing
the
indicators
of
compromise
(IoCs)
and
tactics,
techniques,
and
procedures
(TTPs)
associated
with
the
notorious

LockBit
3.0
ransomware.

“The
LockBit
3.

LockBit 3.0 Ransomware: Inside the Cyberthreat That's Costing Millions

LockBit 3.0 Ransomware: Inside the Cyberthreat That's Costing Millions

U.S.
government
agencies
have
released
a
joint
cybersecurity
advisory
detailing
the
indicators
of
compromise
(IoCs)
and
tactics,
techniques,
and
procedures
(TTPs)
associated
with
the
notorious

LockBit
3.0
ransomware.

“The
LockBit
3.0
ransomware
operations
function
as
a
Ransomware-as-a-Service
(RaaS)
model
and
is
a
continuation
of
previous
versions
of
the
ransomware,
LockBit
2.0,
and
LockBit,”
the
authorities

said.

The
alert
comes
courtesy
of
the
U.S.
Federal
Bureau
of
Investigation
(FBI),
the
Cybersecurity
and
Infrastructure
Security
Agency
(CISA),
and
the
Multi-State
Information
Sharing
&
Analysis
Center
(MS-ISAC).

Since
emerging
in
late
2019,
the

LockBit
actors
have
invested
significant

technical
efforts
to
develop
and
fine-tune
its
malware,
issuing
two
major
updates
—
LockBit
2.0,
released
in
mid-2021,
and

LockBit
3.0,
released
in
June
2022.
The
two
versions
are
also
known
as
LockBit
Red
and
LockBit
Black,
respectively.

“LockBit
3.0
accepts
additional
arguments
for
specific
operations
in
lateral
movement
and
rebooting
into
Safe
Mode,”
according
to
the

alert.
“If
a
LockBit
affiliate
does
not
have
access
to
passwordless
LockBit
3.0
ransomware,
then
a
password
argument
is
mandatory
during
the
execution
of
the
ransomware.”

The
ransomware
is
also
designed
to
infect
only
those
machines
whose
language
settings
do
not
overlap
with
those
specified
in
an
exclusion
list,
which
includes
Romanian
(Moldova),
Arabic
(Syria),
and
Tatar
(Russia).

Initial
access
to
victim
networks
is
obtained
via
remote
desktop
protocol
(RDP)
exploitation,
drive-by
compromise,
phishing
campaigns,
abuse
of
valid
accounts,
and
weaponization
of
public-facing
applications.

Upon
finding
a
successful
ingress
point,
the
malware
takes
steps
to
establish
persistence,
escalate
privileges,
carry
out
lateral
movement,
and
purge
log
files,
files
in
the
Windows
Recycle
Bin
folder,
and
shadow
copies,
before
initiating
the
encryption
routine.

“LockBit
affiliates
have
been
observed
using
various
freeware
and
open
source
tools
during
their
intrusions,”
the
agencies
said.
“These
tools
are
used
for
a
range
of
activities
such
as
network
reconnaissance,
remote
access
and
tunneling,
credential
dumping,
and
file
exfiltration.”

One
defining
characteristic
of
the
attacks
is
the
use
of
a
custom
exfiltration
tool
referred
to
as

StealBit,
which
the
LockBit
group
provides
to
affiliates
for
double
extortion
purposes.

In
November,
the
U.S.
Department
of
Justice

reported
that
the
LockBit
ransomware
strain
has
been
used
against
at
least
1,000
victims
worldwide,
netting
the
operation
over
$100
million
in
illicit
profits.

Industrial
cybersecurity
firm
Dragos,
earlier
this
year,

revealed
that
LockBit
3.0
was
responsible
for
21%
of
189
ransomware
attacks
detected
against
critical
infrastructure
in
Q4
2022,
accounting
for
40
incidents.
A
majority
of
those
attacks
impacted
food
and
beverage
and
manufacturing
sectors.

The
FBI’s
Internet
Crime
Complaint
Center
(IC3),
in
its
latest

Internet
Crime
Report,
listed
LockBit
(149),

BlackCat
(114),
and

Hive
(87)
as
the
top
three
ransomware
variants
victimizing
critical
infrastructure
in
2022.

Despite
LockBit’s
prolific
attack
spree,
the
ransomware
gang

suffered
a
huge
blow
in
late
September
2022
when
a
disgruntled
LockBit
developer
released
the
builder
code
for
LockBit
3.0,
raising
concerns
that
other
criminal
actors
could
take
advantage
of
the
situation
and
spawn
their
own
variants.


WEBINAR

Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps

Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.

RESERVE
YOUR
SEAT

The
advisory
comes
as
the

BianLian
ransomware
group
has

shifted
its
focus
from
encrypting
its
victims’
files
to
pure
data-theft
extortion
attacks,
months
after
cybersecurity
company
Avast

released
a
free
decryptor
in
January
2023.

In
a
related
development,
Kaspersky
has

published
a
free
decryptor
to
help
victims
who
have
had
their
data
locked
down
by
a
version
of
ransomware
based
on
the

Conti
source
code
that

leaked
after
Russia’s
invasion
of
Ukraine
last
year
led
to

internal
friction
among
the
core
members.

“Given
the
sophistication
of
the
LockBit
3.0
and

Conti
ransomware
variants,
it
is
easy
to
forget
that
people
are
running
these
criminal
enterprises,”
Intel
471

noted
last
year.
“And,
as
with
legitimate
organizations,
it
only
takes
one
malcontent
to
unravel
or
disrupt
a
complex
operation.”

Found
this
article
interesting?
Follow
us
on

Twitter

ï‚™
and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

45 mins ago AndyC
Chinese Nationals Arrested for Laundering Million in Pig Butchering Crypto Scam

Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam

19 hours ago AndyC
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

19 hours ago AndyC
Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

3 days ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

3 days ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

3 days ago AndyC

You may have missed

Grandoreiro Banking Trojan is back and targets banks worldwide

Grandoreiro Banking Trojan is back and targets banks worldwide

40 mins ago AndyC
Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

45 mins ago AndyC
Sekuro Appoints its First Federal Government Security Advisor

Sekuro Appoints its First Federal Government Security Advisor

7 hours ago AndyC
Weekly Update 400

Weekly Update 400

7 hours ago AndyC
Macquarie Uni to spend up to 0m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation

10 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.