LockBit 3.0 ransomware, also known as LockBit Black, is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware. It operates as Ransomware-as-a-Service (RaaS), encrypting files on targeted systems and demanding ransom payments from victims in exchange for decryption keys. Here are more precise details about LockBit 3.0 ransomware:
- First Appearance: LockBit 3.0 ransomware emerged in the cybersecurity landscape in March 2022. LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool introduced previously with LockBit 2.0. LockBit 3.0 was presented by LockBit cybercriminal group as the world’s fastest and most stable ransomware from 2019.
- Infection Vector: Similar to its predecessors, LockBit 3.0 ransomware primarily spreads through various infection vectors, including phishing emails, malicious attachments, exploit kits, and vulnerabilities in software or systems. Attackers may utilize social engineering tactics to lure unsuspecting users into executing the malware payload.
- Encryption Mechanism: Upon infecting a system, LockBit 3.0 ransomware utilizes sophisticated encryption algorithms such as RSA or AES to encrypt files stored on local drives and network shares. This encryption process renders the files inaccessible to the victim without the decryption key, which is held by the attackers.
- Ransom Note and Payment: After encrypting the files, LockBit 3.0 ransomware typically presents victims with a ransom note containing instructions for payment. The ransom note specifies the ransom amount, often demanded in cryptocurrency like Bitcoin, and provides details on how to contact the attackers for further instructions on payment and decryption.
- Data Exfiltration Capability: LockBit 3.0 ransomware is known for its ability to exfiltrate sensitive data from compromised systems before encrypting files. This dual-threat approach allows attackers to extort ransom payments for decryption keys while also threatening to leak or sell stolen data if ransom demands are not met, increasing pressure on victims to comply.
- Persistence and Evasion Techniques: LockBit 3.0 ransomware employs various techniques to maintain persistence on infected systems and evade detection by security software. These techniques may include modifying system settings, disabling security tools, and employing anti-analysis methods to hinder detection and removal efforts. LockBit 3.0 has a Safe Mode feature to circumvent endpoint antivirus and detection.
- Mitigation and Recovery: To mitigate the risk of LockBit 3.0 ransomware attacks, organizations should implement robust cybersecurity measures such as regular data backups, endpoint protection solutions, user education on phishing awareness, and timely software patching. In the event of an infection, organizations should follow incident response protocols, isolate affected systems, and consider options for recovery, including data restoration from backups and collaboration with cybersecurity professionals.
See more details on:
- CISA Cybersecurity Advisory: #StopRansomware: LockBit 3.0 (March 16, 2023)
- CISA Cybersecurity Advisory: Understanding Ransomware Threat Actors: LockBit (June 14, 2023)