LockBit 3.0
LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter andBlackCat ransomware.LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such asLockBit 2.0.[1][2][3][4]
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism:Bypass User Account Control | LockBit 3.0 can bypass UAC to execute code with elevated privileges through an elevated Component Object Model (COM) interface.[3] |
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | LockBit 3.0 can use HTTP to send victim host information to C2.[3][4] |
| Enterprise | T1547 | .004 | Boot or Logon Autostart Execution:Winlogon Helper DLL | LockBit 3.0 can enable automatic logon through the |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter:PowerShell | LockBit 3.0 can use PowerShell to apply Group Policy changes.[3] |
| Enterprise | T1543 | .003 | Create or Modify System Process:Windows Service | LockBit 3.0 can install system services for persistence.[1] |
| Enterprise | T1132 | .001 | Data Encoding:Standard Encoding | LockBit 3.0 can Base64-encode C2 communication.[3] |
| Enterprise | T1486 | Data Encrypted for Impact | LockBit 3.0 can encrypt targeted data using the AES-256, ChaCha20, or RSA-2048 algorithms.[2][1][3][4] | |
| Enterprise | T1622 | Debugger Evasion | LockBit 3.0 can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis.[1] | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | TheLockBit 3.0 payload is decrypted at runtime.[1][3][4] | |
| Enterprise | T1484 | .001 | Domain or Tenant Policy Modification:Group Policy Modification | LockBit 3.0 can enable options for propogation through Group Policy Objects.[3] |
| Enterprise | T1573 | .001 | Encrypted Channel:Symmetric Cryptography | LockBit 3.0 can encrypt C2 communications with AES.[3] |
| Enterprise | T1480 | Execution Guardrails | LockBit 3.0 can make execution dependent on specific parameters including a unique passphrase and the system language of the targeted host not being found on a set exclusion list.[2][1][3] | |
| .002 | Mutual Exclusion | LockBit 3.0 can create and check for a mutex containing a hash of the | ||
| Enterprise | T1083 | File and Directory Discovery | LockBit 3.0 can exclude files associated with core system functions from encryption.[3] | |
| Enterprise | T1562 | .001 | Impair Defenses:Disable or Modify Tools | LockBit 3.0 can disable security tools to evade detection including Windows Defender.[2][3][4] |
| .009 | Impair Defenses:Safe Mode Boot | LockBit 3.0 can reboot the infected host into Safe Mode.[3] | ||
| Enterprise | T1070 | .001 | Indicator Removal:Clear Windows Event Logs | LockBit 3.0 can delete log files on targeted systems.[2][3] |
| .004 | Indicator Removal:File Deletion | LockBit 3.0 can delete itself from disk.[2][3] | ||
| Enterprise | T1490 | Inhibit System Recovery | LockBit 3.0 can delete volume shadow copies.[2][3][4] | |
| Enterprise | T1680 | Local Storage Discovery | LockBit 3.0 can enumerate local drive configuration.[3] | |
| Enterprise | T1112 | Modify Registry | LockBit 3.0 can change the Registry values for Group Policy refresh time, to disable SmartScreen, and to disable Windows Defender.[3][4] | |
| Enterprise | T1106 | Native API | LockBit 3.0 has the ability to directly call native Windows API items during execution.[1][4] | |
| Enterprise | T1135 | Network Share Discovery | LockBit 3.0 can identify network shares on compromised systems.[3] | |
| Enterprise | T1027 | .002 | Obfuscated Files or Information:Software Packing | LockBit 3.0 can use code packing to hinder analysis.[1][4] |
| .013 | Obfuscated Files or Information:Encrypted/Encoded File | TheLockBit 3.0 payload includes an encrypted main component.[1][3] | ||
| Enterprise | T1120 | Peripheral Device Discovery | LockBit 3.0 has the ability to discover external storage devices.[3] | |
| Enterprise | T1057 | Process Discovery | LockBit 3.0 can identify and terminate specific services.[1][2] | |
| Enterprise | T1021 | .002 | Remote Services:SMB/Windows Admin Shares | LockBit 3.0 can use SMB for lateral movement.[3] |
| Enterprise | T1489 | Service Stop | LockBit 3.0 can terminate targeted processes and services related to security, backup, database management, and other applications that could stop or interfere with encryption.[2][1][3][4] | |
| Enterprise | T1218 | .003 | System Binary Proxy Execution:CMSTP | LockBit 3.0 can attempt a CMSTP UAC bypass if it does not have administrative privileges.[1] |
| Enterprise | T1082 | System Information Discovery | LockBit 3.0 can enumerate system hostname and domain.[3] | |
| Enterprise | T1614 | .001 | System Location Discovery:System Language Discovery | LockBit 3.0 will not affect machines with language settings matching a defined exlusion list of mainly Eastern European languages.[2][3] |
| Enterprise | T1569 | .002 | System Services:Service Execution | LockBit 3.0 can usePsExec to execute commands and payloads.[2] |
| Enterprise | T1078 | .003 | Valid Accounts:Local Accounts | LockBit 3.0 can use a compromised local account for lateral movement.[3] |