A joint notice from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) aims to distribute information about known LockBit 3.0 ransomware indicators of compromise (IOCs) and techniques (TTPs) that have been discovered during FBI investigations as recently as March 2023.
The LockBit 3.0 ransomware is a continuation of the LockBit 2.0 and LockBit ransomware programs. It uses a Ransomware-as-a-Service (RaaS) model to carry out its activities and functions as a RaaS model. LockBit has been functioning as an affiliate-based ransomware variant as of January 2020; affiliates deploying the LockBit RaaS utilize a broad variety of TTPs to target a wide variety of enterprises and critical infrastructure organizations, which may make it difficult to effectively defend computer networks or mitigate their effects.
LockBit 3.0, also known as “LockBit Black,” is an updated version of the ransomware that is more modular and elusive than its earlier incarnations. It also has characteristics with the malware known as Blackmatter and Blackcat.
During the compilation process, LockBit 3.0 is customized with a wide variety of variables, each of which influences the way the ransomware operates. During the process of the ransomware actually being put into action inside an environment belonging to a victim, numerous arguments may be given in order to further adjust the malware’s behavior. For instance, LockBit 3.0 allows for the acceptance of extra arguments for some actions, such as lateral movement and restarting in Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then the execution of the ransomware will need the input of a password argument. Those who are affiliated with LockBit 3.0 but fail to input the right password will be unable to carry out the ransomware. A cryptographic key, the password is used to decode the LockBit 3.0 executable. LockBit 3.0 is able to prevent malware detection and analysis by encrypting the code in such a way that it is indecipherable and cannot be executed. This renders the code useless for detecting and analyzing malware. Since the encrypted potion of the LockBit 3.0 executable will change depending on the cryptographic key that was used for encryption while simultaneously creating a one-of-a-kind hash, signature-based detections may not be able to identify the LockBit 3.0 executable. LockBit 3.0 will decrypt the main component when given the proper password, then continue decrypting or decompressing its code, and finally run the ransomware.
LockBit 3.0 will only infect computers that do not have language settings that are compatible with an exclusion list that has been specified. A configuration flag that was first set at the time of compilation will ultimately decide whether or not a system language is verified when it is actually being used at runtime. On the list of languages that cannot be used are not limited to, but do include, Romanian (spoken in Moldova), Arabic (spoken in Syria), and Tatar (Russia). LockBit 3.0 will halt execution if a language from the exclusion list is found [T1614.001], but it will not infect the system.
In order to lessen the risk of ransomware attacks and lessen their severity when they do occur, the FBI, CISA, and the MS-ISAC all advise enterprises to put into practice the mitigations.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.